[ovs-dev] [PATCH] ofp-ed-props: Fix hang for crafted OpenFlow encap/decap properties.
Ben Pfaff
blp at ovn.org
Thu Aug 16 15:51:26 UTC 2018
On Wed, Aug 15, 2018 at 04:55:38PM -0700, Darrell Ball wrote:
> On Wed, Aug 15, 2018 at 3:03 PM, Ben Pfaff <blp at ovn.org> wrote:
>
> > decode_ed_prop() accepted encap/decap properties with a reported length of
> > 0, without consuming any data from the property list, which yielded an
> > infinite loop.
> >
> > Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9918
> > Signed-off-by: Ben Pfaff <blp at ovn.org>
> > ---
> > lib/ofp-ed-props.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/lib/ofp-ed-props.c b/lib/ofp-ed-props.c
> > index 901da2f0dd1b..28382e01235c 100644
> > --- a/lib/ofp-ed-props.c
> > +++ b/lib/ofp-ed-props.c
> > @@ -35,7 +35,7 @@ decode_ed_prop(const struct ofp_ed_prop_header
> > **ofp_prop,
>
> size_t len = (*ofp_prop)->len;
> > size_t pad_len = ROUND_UP(len, 8);
> >
> > - if (pad_len > *remaining) {
> > + if (len < sizeof **ofp_prop || pad_len > *remaining) {
> >
>
> Is *remaining > pad_len valid ?
> If it is, which is not intuitive, maybe a comment will help ?
Can you help me understand why it would not be valid?
More information about the dev
mailing list