[ovs-dev] [PATCH] NSH: Fix NSH-related length macros that cause stack overflow

Yifeng Sun pkusunyifeng at gmail.com
Thu Oct 25 21:41:50 UTC 2018


In the filed of ver_flags_ttl_len of struct nshhdr, there are only 6
bits that are used to indicate header's total length in 4-byte words.
Therefore, the max value for total is 252 (63x4), instead of 256 used
in present code base. This patch fixes it.

Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10855
Signed-off-by: Yifeng Sun <pkusunyifeng at gmail.com>
---
 datapath/linux/compat/include/net/nsh.h | 4 ++--
 include/openvswitch/nsh.h               | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/datapath/linux/compat/include/net/nsh.h b/datapath/linux/compat/include/net/nsh.h
index ff3733d9032d..76894910cfcb 100644
--- a/datapath/linux/compat/include/net/nsh.h
+++ b/datapath/linux/compat/include/net/nsh.h
@@ -247,10 +247,10 @@ struct nshhdr {
 #define NSH_M_TYPE1_LEN   24
 
 /* NSH header maximum Length. */
-#define NSH_HDR_MAX_LEN 256
+#define NSH_HDR_MAX_LEN 252
 
 /* NSH context headers maximum Length. */
-#define NSH_CTX_HDRS_MAX_LEN 248
+#define NSH_CTX_HDRS_MAX_LEN 244
 
 static inline struct nshhdr *nsh_hdr(struct sk_buff *skb)
 {
diff --git a/include/openvswitch/nsh.h b/include/openvswitch/nsh.h
index 55f59d636e5a..afed932fcb75 100644
--- a/include/openvswitch/nsh.h
+++ b/include/openvswitch/nsh.h
@@ -263,10 +263,10 @@ struct nsh_hdr {
 #define NSH_M_TYPE1_LEN   24
 
 /* NSH header maximum Length. */
-#define NSH_HDR_MAX_LEN 256
+#define NSH_HDR_MAX_LEN 252
 
 /* NSH context headers maximum Length. */
-#define NSH_CTX_HDRS_MAX_LEN 248
+#define NSH_CTX_HDRS_MAX_LEN 244
 
 static inline uint16_t
 nsh_hdr_len(const struct nsh_hdr *nsh)
-- 
2.7.4



More information about the dev mailing list