[ovs-dev] [PATCH v2] odp-utils: Fix memory corruption while flow parsing.
Ben Pfaff
blp at nicira.com
Mon Mar 25 01:04:15 UTC 2013
Looks good, thank you.
On Mar 24, 2013 5:22 PM, "Gurucharan Shetty" <shettyg at nicira.com> wrote:
> Currently, when flow attribute type is greater than OVS_KEY_ATTR_MAX,
> we can write into a random memory address causing corruption. Fix it.
>
> Bug #15702.
> Signed-off-by: Gurucharan Shetty <gshetty at nicira.com>
> ---
> lib/odp-util.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/lib/odp-util.c b/lib/odp-util.c
> index f9e9321..751c1c9 100644
> --- a/lib/odp-util.c
> +++ b/lib/odp-util.c
> @@ -1714,6 +1714,7 @@ parse_flow_nlattrs(const struct nlattr *key, size_t
> key_len,
> uint64_t present_attrs;
> size_t left;
>
> + BUILD_ASSERT(OVS_KEY_ATTR_MAX < CHAR_BIT * sizeof present_attrs);
> present_attrs = 0;
> *out_of_range_attrp = 0;
> NL_ATTR_FOR_EACH (nla, left, key, key_len) {
> @@ -1728,7 +1729,7 @@ parse_flow_nlattrs(const struct nlattr *key, size_t
> key_len,
> return false;
> }
>
> - if (type >= CHAR_BIT * sizeof present_attrs) {
> + if (type > OVS_KEY_ATTR_MAX) {
> *out_of_range_attrp = type;
> } else {
> if (present_attrs & (UINT64_C(1) << type)) {
> --
> 1.7.9.5
>
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-dev/attachments/20130324/4cef85e1/attachment-0003.html>
More information about the dev
mailing list