[ovs-dev] [PATCH] learn: Fix buffer overflow in parsing "learn" action strings.

Ben Pfaff blp at nicira.com
Wed Feb 25 17:12:38 UTC 2015 

Don't panic, this is not a remote buffer overflow, only a bug in a program
parsing its input from the command line or a file.

Found by inspection.

Signed-off-by: Ben Pfaff <blp at nicira.com>
---
 lib/learn.c    |  6 +++++-
 tests/learn.at | 14 ++++++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/lib/learn.c b/lib/learn.c
index 71c9780..de4f2a7 100644
--- a/lib/learn.c
+++ b/lib/learn.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2011, 2012, 2013, 2014 Nicira, Inc.
+ * Copyright (c) 2011, 2012, 2013, 2014, 2015 Nicira, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -207,6 +207,10 @@ learn_parse_load_immediate(const char *s, struct ofpact_learn_spec *spec)
             if (hexit < 0) {
                 return xasprintf("%s: bad hex digit in value", full_s);
             }
+            if (hexit && i / 2 >= sizeof imm.u8) {
+                return xasprintf("%s: too many bits in immediate value",
+                                 full_s);
+            }
             out[-(i / 2)] |= i % 2 ? hexit << 4 : hexit;
         }
         s = arrow;
diff --git a/tests/learn.at b/tests/learn.at
index 322ab84..0372e4a 100644
--- a/tests/learn.at
+++ b/tests/learn.at
@@ -91,6 +91,20 @@ ovs-ofctl: actions are invalid with specified match (OFPBAC_MATCH_INCONSISTENT)
 ]])
 AT_CLEANUP
 
+AT_SETUP([learning action - too-long immediate value])
+dnl 129 bits is too long.
+AT_CHECK([[ovs-ofctl parse-flow 'actions=learn(load:0x1fedbca9876543210fedbca9876543210->NXM_NX_IPV6_DST[])']],
+  [1], [], [[ovs-ofctl: 0x1fedbca9876543210fedbca9876543210->NXM_NX_IPV6_DST[]: too many bits in immediate value
+]])
+
+dnl 128 bits is merely a bad prerequisite.
+AT_CHECK([[ovs-ofctl parse-flow 'actions=learn(load:0xfedbca9876543210fedbca9876543210->NXM_NX_IPV6_DST[])']], [1], [], [stderr])
+AT_CHECK([sed -e 's/.*|meta_flow|WARN|//' < stderr], [0],
+  [[destination field ipv6_dst lacks correct prerequisites
+ovs-ofctl: actions are invalid with specified match (OFPBAC_MATCH_INCONSISTENT)
+]], [[]])
+AT_CLEANUP
+
 AT_SETUP([learning action - standard VLAN+MAC learning])
 OVS_VSWITCHD_START(
   [add-port br0 p1 -- set Interface p1 type=dummy ofport_request=1 -- \
-- 
2.1.3

More information about the dev mailing list