[ovs-dev] [PATCH] ofp-actions: Fix buffer overread in decode_LEARN_specs().
Ben Pfaff
blp at ovn.org
Mon Jun 25 18:50:51 UTC 2018
The length check was wrong for immediate arguments to "learn" actions.
Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9047
Signed-off-by: Ben Pfaff <blp at ovn.org>
---
lib/ofp-actions.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/ofp-actions.c b/lib/ofp-actions.c
index e91e0b252390..3f7702185a64 100644
--- a/lib/ofp-actions.c
+++ b/lib/ofp-actions.c
@@ -4740,7 +4740,7 @@ learn_min_len(uint16_t header)
min_len += sizeof(ovs_be32); /* src_field */
min_len += sizeof(ovs_be16); /* src_ofs */
} else {
- min_len += DIV_ROUND_UP(n_bits, 16);
+ min_len += 2 * DIV_ROUND_UP(n_bits, 16);
}
if (dst_type == NX_LEARN_DST_MATCH ||
dst_type == NX_LEARN_DST_LOAD) {
--
2.16.1
More information about the dev
mailing list