[ovs-dev] [PATCH] netlink: added check to prevent netlink attribute overflow

Toms Atteka cpp.code.lv at gmail.com
Tue Feb 12 00:23:57 UTC 2019


If enough large input is passed to odp_actions_from_string it can
cause netlink attribute to overflow.
ovs_assert was added just before the problematic code so it could
be debugged faster in similar cases if they would arise. Check
for buffer size was added to prevent entering this function and
returning appropriate error code.

Basic manual testing was performed.

Reported-by:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12231
Signed-off-by: Toms Atteka <cpp.code.lv at gmail.com>
---
 lib/netlink.c  | 1 +
 lib/odp-util.c | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/lib/netlink.c b/lib/netlink.c
index de3ebcd..c91c868 100644
--- a/lib/netlink.c
+++ b/lib/netlink.c
@@ -498,6 +498,7 @@ void
 nl_msg_end_nested(struct ofpbuf *msg, size_t offset)
 {
     struct nlattr *attr = ofpbuf_at_assert(msg, offset, sizeof *attr);
+    ovs_assert(msg->size - offset <= USHRT_MAX);
     attr->nla_len = msg->size - offset;
 }
 
diff --git a/lib/odp-util.c b/lib/odp-util.c
index e893f46..9f637ca 100644
--- a/lib/odp-util.c
+++ b/lib/odp-util.c
@@ -2161,6 +2161,10 @@ parse_action_list(const char *s, const struct simap *port_names,
         n += retval;
     }
 
+    if (actions->size > USHRT_MAX) {
+        return -EFBIG;
+    }
+
     return n;
 }
 
-- 
2.7.4



More information about the dev mailing list