From patchwork Thu Oct 11 19:44:33 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ben Pfaff <blp@ovn.org>
X-Patchwork-Id: 982674
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=openvswitch.org
	(client-ip=140.211.169.12; helo=mail.linuxfoundation.org;
	envelope-from=ovs-dev-bounces@openvswitch.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=none (p=none dis=none) header.from=ovn.org
Received: from mail.linuxfoundation.org (mail.linuxfoundation.org
	[140.211.169.12])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 42WLyp4JpQz9s3l
	for <incoming@patchwork.ozlabs.org>;
	Fri, 12 Oct 2018 06:44:50 +1100 (AEDT)
Received: from mail.linux-foundation.org (localhost [127.0.0.1])
	by mail.linuxfoundation.org (Postfix) with ESMTP id 759FDD95;
	Thu, 11 Oct 2018 19:44:47 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@mail.linuxfoundation.org
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 859A7D71
	for <dev@openvswitch.org>; Thu, 11 Oct 2018 19:44:46 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net
	[217.70.183.197])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 8D9737F9
	for <dev@openvswitch.org>; Thu, 11 Oct 2018 19:44:45 +0000 (UTC)
X-Originating-IP: 208.91.3.26
Received: from sigabrt.benpfaff.org (unknown [208.91.3.26])
	(Authenticated sender: blp@ovn.org)
	by relay5-d.mail.gandi.net (Postfix) with ESMTPSA id D6FE11C0003;
	Thu, 11 Oct 2018 19:44:42 +0000 (UTC)
From: Ben Pfaff <blp@ovn.org>
To: dev@openvswitch.org
Date: Thu, 11 Oct 2018 12:44:33 -0700
Message-Id: <20181011194433.20714-1-blp@ovn.org>
X-Mailer: git-send-email 2.16.1
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_LOW
	autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
Cc: Ben Pfaff <blp@ovn.org>
Subject: [ovs-dev] [PATCH] expr: Disallow < <= >= > comparisons against
	empty value set.
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
	<mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
	<mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
MIME-Version: 1.0
Sender: ovs-dev-bounces@openvswitch.org
Errors-To: ovs-dev-bounces@openvswitch.org

OVN expression syntax does not allow a literal empty value set, like {}.
Rather, any literal value set has to have at least one value.  However,
value sets that originate from address sets or from port groups can be
empty.  In such a case, == and != comparisons are allowed but < <= >= >
should be errors.  The actual implementation failed to properly disallow
the latter and instead tried to access the first element of the value set,
a bad read.  This fixes the problem.

Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10731
Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10767
Signed-off-by: Ben Pfaff <blp@ovn.org>
Reviewed-by: Yifeng Sun <pkusunyifeng@gmail.com>
---
 ovn/lib/expr.c | 5 +++++
 tests/ovn.at   | 2 ++
 2 files changed, 7 insertions(+)

diff --git a/ovn/lib/expr.c b/ovn/lib/expr.c
index 148ac869e861..16dd1776b543 100644
--- a/ovn/lib/expr.c
+++ b/ovn/lib/expr.c
@@ -578,6 +578,11 @@ make_cmp(struct expr_context *ctx,
                         f->symbol->name);
             goto exit;
         }
+        if (!cs->n_values) {
+            lexer_error(ctx->lexer, "Only == and != operators may be used "
+                        "to compare a field against an empty value set.");
+            goto exit;
+        }
         if (cs->values[0].masked) {
             lexer_error(ctx->lexer, "Only == and != operators may be used "
                         "with masked constants.  Consider using subfields "
diff --git a/tests/ovn.at b/tests/ovn.at
index 44475175d20a..94676a9aa802 100644
--- a/tests/ovn.at
+++ b/tests/ovn.at
@@ -351,6 +351,8 @@ eth.dst[40] x => Syntax error at `x' expecting end of input.
 
 ip4.src == {1.2.3.4, $set1, $unknownset} => Syntax error at `$unknownset' expecting address set name.
 eth.src == {$set3, badmac, 00:00:00:00:00:01} => Syntax error at `badmac' expecting constant.
+
+ct_label > $set4 => Only == and != operators may be used to compare a field against an empty value set.
 ]])
 sed 's/ =>.*//' test-cases.txt > input.txt
 sed 's/.* => //' test-cases.txt > expout