[ovs-dev] [PATCH] expr: Set a limit on the depth of nested parentheses

Yifeng Sun pkusunyifeng at gmail.com
Thu Oct 4 23:30:10 UTC 2018


Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10714
Signed-off-by: Yifeng Sun <pkusunyifeng at gmail.com>
Suggested-by: Ben Pfaff <blp at ovn.org>
---
 ovn/lib/expr.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/ovn/lib/expr.c b/ovn/lib/expr.c
index 0a2cef2f0ee9..cabd5c60d9c8 100644
--- a/ovn/lib/expr.c
+++ b/ovn/lib/expr.c
@@ -459,6 +459,8 @@ expr_print(const struct expr *e)
 
 /* Parsing. */
 
+#define MAX_LPAREN_DEPTH 100
+
 /* Context maintained during expr_parse(). */
 struct expr_context {
     struct lexer *lexer;           /* Lexer for pulling more tokens. */
@@ -466,6 +468,7 @@ struct expr_context {
     const struct shash *addr_sets; /* Address set table. */
     const struct shash *port_groups; /* Port group table. */
     bool not;                    /* True inside odd number of NOT operators. */
+    unsigned int paren_depth;	 /* Depth of nested parentheses. */
 };
 
 struct expr *expr_parse__(struct expr_context *);
@@ -1080,11 +1083,17 @@ expr_parse_primary(struct expr_context *ctx, bool *atomic)
 {
     *atomic = false;
     if (lexer_match(ctx->lexer, LEX_T_LPAREN)) {
+        if (++ctx->paren_depth > MAX_LPAREN_DEPTH) {
+            lexer_syntax_error(ctx->lexer,
+                               "parenthesis nested too deeply");
+            return NULL;
+        }
         struct expr *e = expr_parse__(ctx);
         if (!lexer_force_match(ctx->lexer, LEX_T_RPAREN)) {
             expr_destroy(e);
             return NULL;
         }
+        --ctx->paren_depth;
         *atomic = true;
         return e;
     }
@@ -1270,7 +1279,8 @@ expr_parse(struct lexer *lexer, const struct shash *symtab,
     struct expr_context ctx = { .lexer = lexer,
                                 .symtab = symtab,
                                 .addr_sets = addr_sets,
-                                .port_groups = port_groups };
+                                .port_groups = port_groups,
+                                .paren_depth = 0 };
     return lexer->error ? NULL : expr_parse__(&ctx);
 }
 
-- 
2.7.4



More information about the dev mailing list