| Message ID | 6c2ad7cd08cc6295ce500d3adb1e657addb2685e.1749133911.git.echaudro@redhat.com |
|---|---|
| State | Accepted |
| Commit | d1bd62dae5534ea04dceec0e9a32eb2b136fe45c |
| Delegated to: | aaron conole |
| Headers | show |
| Series | Various Coverity fixes. | expand |
| Context | Check | Description |
|---|---|---|
| ovsrobot/apply-robot | success | apply and check: success |
| ovsrobot/github-robot-_Build_and_Test | success | github build: passed |
Eelco Chaudron via dev <ovs-dev@openvswitch.org> writes: > In the IPFIX and flow sample upcall handling, check the validity > of the tunnel key returned by odp_tun_key_from_attr(). If the > tunnel key is invalid, return an error. > > his was reported by Coverity, but the change also improves ^ = This Can probably be fixed on apply. > robustness and avoids undefined behavior in the case of malformed > tunnel attributes. > > Fixes: 8b7ea2d48033 ("Extend OVS IPFIX exporter to export tunnel headers") > Signed-off-by: Eelco Chaudron <echaudro@redhat.com> > --- Acked-by: Aaron Conole <aconole@redhat.com> > ofproto/ofproto-dpif-upcall.c | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/ofproto/ofproto-dpif-upcall.c b/ofproto/ofproto-dpif-upcall.c > index 7577d14ec..53e59580d 100644 > --- a/ofproto/ofproto-dpif-upcall.c > +++ b/ofproto/ofproto-dpif-upcall.c > @@ -1563,8 +1563,11 @@ process_upcall(struct udpif *udpif, struct upcall *upcall, > memset(&ipfix_actions, 0, sizeof ipfix_actions); > > if (upcall->out_tun_key) { > - odp_tun_key_from_attr(upcall->out_tun_key, &output_tunnel_key, > - NULL); > + if (odp_tun_key_from_attr(upcall->out_tun_key, > + &output_tunnel_key, > + NULL) != ODP_FIT_ERROR) { > + return EINVAL; > + } > } > > actions_len = dpif_read_actions(udpif, upcall, flow,
On 5 Jun 2025, at 18:39, Aaron Conole wrote: > Eelco Chaudron via dev <ovs-dev@openvswitch.org> writes: > >> In the IPFIX and flow sample upcall handling, check the validity >> of the tunnel key returned by odp_tun_key_from_attr(). If the >> tunnel key is invalid, return an error. >> >> his was reported by Coverity, but the change also improves > > ^ = This > > Can probably be fixed on apply. > >> robustness and avoids undefined behavior in the case of malformed >> tunnel attributes. >> >> Fixes: 8b7ea2d48033 ("Extend OVS IPFIX exporter to export tunnel headers") >> Signed-off-by: Eelco Chaudron <echaudro@redhat.com> >> --- > > Acked-by: Aaron Conole <aconole@redhat.com> Thanks for the review Aaron! Applied to main with the commit message change. //Eelco
diff --git a/ofproto/ofproto-dpif-upcall.c b/ofproto/ofproto-dpif-upcall.c index 7577d14ec..53e59580d 100644 --- a/ofproto/ofproto-dpif-upcall.c +++ b/ofproto/ofproto-dpif-upcall.c @@ -1563,8 +1563,11 @@ process_upcall(struct udpif *udpif, struct upcall *upcall, memset(&ipfix_actions, 0, sizeof ipfix_actions); if (upcall->out_tun_key) { - odp_tun_key_from_attr(upcall->out_tun_key, &output_tunnel_key, - NULL); + if (odp_tun_key_from_attr(upcall->out_tun_key, + &output_tunnel_key, + NULL) != ODP_FIT_ERROR) { + return EINVAL; + } } actions_len = dpif_read_actions(udpif, upcall, flow,
In the IPFIX and flow sample upcall handling, check the validity of the tunnel key returned by odp_tun_key_from_attr(). If the tunnel key is invalid, return an error. his was reported by Coverity, but the change also improves robustness and avoids undefined behavior in the case of malformed tunnel attributes. Fixes: 8b7ea2d48033 ("Extend OVS IPFIX exporter to export tunnel headers") Signed-off-by: Eelco Chaudron <echaudro@redhat.com> --- ofproto/ofproto-dpif-upcall.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)