[ovs-dev] [PATCH v3] expr: Access expr_constant.mask only when its type is EXPR_C_INTEGER

Yifeng Sun pkusunyifeng at gmail.com
Wed Oct 10 23:02:56 UTC 2018

It is unsafe to access expr_constant.masked when its type
is EXPR_C_STRING as its value is uninitialized. This patch
fixes this issue.

Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10731
Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10767
Signed-off-by: Yifeng Sun <pkusunyifeng at gmail.com>
v1->v2: Fix email subject by adding [ovs-dev]
v2->v3: Inspect through code to make sure expr_constant is accessed correctly
by its type, thanks Ben for the review!

 ovn/lib/expr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ovn/lib/expr.c b/ovn/lib/expr.c
index 5880fd2e7289..0fbe109783da 100644
--- a/ovn/lib/expr.c
+++ b/ovn/lib/expr.c
@@ -581,7 +581,7 @@ make_cmp(struct expr_context *ctx,
             goto exit;
-        if (cs->values[0].masked) {
+        if (cs->type == EXPR_C_INTEGER && cs->values[0].masked) {
             lexer_error(ctx->lexer, "Only == and != operators may be used "
                         "with masked constants.  Consider using subfields "
                         "instead (e.g. eth.src[0..15] > 0x1111 in place of "

More information about the dev mailing list