[ovs-dev] [PATCH] ofp-ed-props: Fix hang for crafted OpenFlow encap/decap properties.

Wed Aug 15 22:03:43 UTC 2018

decode_ed_prop() accepted encap/decap properties with a reported length of
0, without consuming any data from the property list, which yielded an
infinite loop.

Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9918
Signed-off-by: Ben Pfaff <blp at ovn.org>
---
 lib/ofp-ed-props.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/ofp-ed-props.c b/lib/ofp-ed-props.c
index 901da2f0dd1b..28382e01235c 100644
--- a/lib/ofp-ed-props.c
+++ b/lib/ofp-ed-props.c
@@ -35,7 +35,7 @@ decode_ed_prop(const struct ofp_ed_prop_header **ofp_prop,
     size_t len = (*ofp_prop)->len;
     size_t pad_len = ROUND_UP(len, 8);
 
-    if (pad_len > *remaining) {
+    if (len < sizeof **ofp_prop || pad_len > *remaining) {
         return OFPERR_OFPBAC_BAD_LEN;
     }
 
-- 
2.16.1

