[ovs-dev] [PATCH] ofp-actions: Fix buffer overread in decode_LEARN_specs().

Ben Pfaff blp at ovn.org
Mon Jun 25 18:50:51 UTC 2018


The length check was wrong for immediate arguments to "learn" actions.

Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9047
Signed-off-by: Ben Pfaff <blp at ovn.org>
---
 lib/ofp-actions.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/ofp-actions.c b/lib/ofp-actions.c
index e91e0b252390..3f7702185a64 100644
--- a/lib/ofp-actions.c
+++ b/lib/ofp-actions.c
@@ -4740,7 +4740,7 @@ learn_min_len(uint16_t header)
         min_len += sizeof(ovs_be32); /* src_field */
         min_len += sizeof(ovs_be16); /* src_ofs */
     } else {
-        min_len += DIV_ROUND_UP(n_bits, 16);
+        min_len += 2 * DIV_ROUND_UP(n_bits, 16);
     }
     if (dst_type == NX_LEARN_DST_MATCH ||
         dst_type == NX_LEARN_DST_LOAD) {
-- 
2.16.1



More information about the dev mailing list