[ovs-dev] [PATCH v3] expr: Access expr_constant.mask only when its type is EXPR_C_INTEGER

Ben Pfaff blp at ovn.org
Thu Oct 11 19:48:18 UTC 2018


On Wed, Oct 10, 2018 at 04:02:56PM -0700, Yifeng Sun wrote:
> It is unsafe to access expr_constant.masked when its type
> is EXPR_C_STRING as its value is uninitialized. This patch
> fixes this issue.
> 
> Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10731
> Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10767
> Signed-off-by: Yifeng Sun <pkusunyifeng at gmail.com>
> ---
> v1->v2: Fix email subject by adding [ovs-dev]
> v2->v3: Inspect through code to make sure expr_constant is accessed correctly
> by its type, thanks Ben for the review!

Thanks for the fix.

There was something odd about this, which was that if the field is a
string then it would be EXPR_L_NOMINAL, and so the problem should have
been caught in the test for nominal variables.  Also, the triggering
test case was "ct_label > $set4", and ct_label is not a string field.
Looking closer, $set4 is an empty set, like {}.  That means that the
real underlying problem was that the code was not properly disallowing
empty sets.  So, I sent the following patch:
        https://patchwork.ozlabs.org/patch/982674/

Thanks,

Ben.


More information about the dev mailing list