[ovs-dev] [PATCH] flow: Avoid buffer overread in parse_nsh() for malformed packet.
Ben Pfaff
blp at ovn.org
Wed Nov 29 16:30:00 UTC 2017
Found by libfuzzer.
CC: Jan Scheurich <jan.scheurich at ericsson.com>
Fixes: 7edef47b4896 ("NSH: Minor bugfixes")
Reported-by: Bhargava Shastry <bshastry at sec.t-labs.tu-berlin.de>
Signed-off-by: Ben Pfaff <blp at ovn.org>
---
lib/flow.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/flow.c b/lib/flow.c
index 1adc49970a3a..bc24fe7e20d3 100644
--- a/lib/flow.c
+++ b/lib/flow.c
@@ -553,7 +553,7 @@ parse_nsh(const void **datap, size_t *sizep, struct flow_nsh *key)
/* NSH header length is in 4 byte words. */
length = ((ver_flags_len & NSH_LEN_MASK) >> NSH_LEN_SHIFT) << 2;
- if (version != 0) {
+ if (length > *sizep || version != 0) {
return false;
}
--
2.10.2
More information about the dev
mailing list