[ovs-dev] [PATCH 1/2] odp-util: Fix a bug that causes stack overflow

Yifeng Sun pkusunyifeng at gmail.com
Tue Oct 9 22:39:17 UTC 2018


ofpbuf_put_hex doesn't know buf's length and only checks buf's content
to process. This is dangerous. This patch fixes it.

Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10865
Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10863
Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10855
Signed-off-by: Yifeng Sun <pkusunyifeng at gmail.com>
---
 lib/odp-util.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/odp-util.c b/lib/odp-util.c
index 7705bb30ae21..d482d5bcf968 100644
--- a/lib/odp-util.c
+++ b/lib/odp-util.c
@@ -2107,6 +2107,7 @@ parse_odp_push_nsh_action(const char *s, struct ofpbuf *actions)
             if (ovs_scan_len(s, &n, "md2=0x%511[0-9a-fA-F]", buf)) {
                 ofpbuf_use_stub(&b, metadata,
                                 NSH_CTX_HDRS_MAX_LEN);
+                buf[n - 6] = '\0';
                 ofpbuf_put_hex(&b, buf, &mdlen);
                 /* Pad metadata to 4 bytes. */
                 padding = PAD_SIZE(mdlen, 4);
-- 
2.7.4



More information about the dev mailing list