[ovs-dev] [PATCH] ofp-actions: Avoid buffer overread in BUNDLE action decoding.

Ben Pfaff blp at ovn.org
Mon Jun 25 20:07:43 UTC 2018


Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9052
Signed-off-by: Ben Pfaff <blp at ovn.org>
---
 lib/ofp-actions.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/lib/ofp-actions.c b/lib/ofp-actions.c
index e91e0b252390..164057235f08 100644
--- a/lib/ofp-actions.c
+++ b/lib/ofp-actions.c
@@ -1380,12 +1380,13 @@ decode_bundle(bool load, const struct nx_action_bundle *nab,
                      load ? "bundle_load" : "bundle", slaves_size,
                      bundle->n_slaves * sizeof(ovs_be16), bundle->n_slaves);
         error = OFPERR_OFPBAC_BAD_LEN;
-    }
-
-    for (i = 0; i < bundle->n_slaves; i++) {
-        ofp_port_t ofp_port = u16_to_ofp(ntohs(((ovs_be16 *)(nab + 1))[i]));
-        ofpbuf_put(ofpacts, &ofp_port, sizeof ofp_port);
-        bundle = ofpacts->header;
+    } else {
+        for (i = 0; i < bundle->n_slaves; i++) {
+            ofp_port_t ofp_port
+                = u16_to_ofp(ntohs(((ovs_be16 *)(nab + 1))[i]));
+            ofpbuf_put(ofpacts, &ofp_port, sizeof ofp_port);
+            bundle = ofpacts->header;
+        }
     }
 
     ofpact_finish_BUNDLE(ofpacts, &bundle);
-- 
2.16.1



More information about the dev mailing list