[ovs-dev] [PATCH] ofp-actions: Report an error if there are too many actions to parse.
Ilya Maximets
i.maximets at ovn.org
Wed Jun 16 20:37:21 UTC 2021
On 6/16/21 10:34 PM, Ilya Maximets wrote:
> Not a very important fix, but fuzzer times out trying to test parsing
> of a huge number of actions. Fixing that by reporting an error as
> soon as ofpacts oversized.
>
> It would be great to use ofpacts_oversized() function instead of manual
> size checking, but ofpacts->header here always points to the last
> pushed action, so the value that ofpacts_oversized() would check is
> always small.
Ugh. s/ofpacts_oversized/ofpbuf_oversized/
I can fix that on commit if the new version will not be necessary
otherwise.
>
> Adding a unit test for this, plus the extra test for too deep nesting.
>
> Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20254
> Signed-off-by: Ilya Maximets <i.maximets at ovn.org>
> ---
> lib/ofp-actions.c | 4 ++++
> tests/ofp-actions.at | 6 ++++++
> 2 files changed, 10 insertions(+)
>
> diff --git a/lib/ofp-actions.c b/lib/ofp-actions.c
> index 6fb3da507..ecf914eac 100644
> --- a/lib/ofp-actions.c
> +++ b/lib/ofp-actions.c
> @@ -9326,6 +9326,7 @@ static char * OVS_WARN_UNUSED_RESULT
> ofpacts_parse__(char *str, const struct ofpact_parse_params *pp,
> bool allow_instructions, enum ofpact_type outer_action)
> {
> + uint32_t orig_size = pp->ofpacts->size;
> char *key, *value;
> bool drop = false;
> char *pos;
> @@ -9370,6 +9371,9 @@ ofpacts_parse__(char *str, const struct ofpact_parse_params *pp,
> if (error) {
> return error;
> }
> + if (pp->ofpacts->size - orig_size > UINT16_MAX) {
> + return xasprintf("input too big");
> + }
> }
>
> if (drop && pp->ofpacts->size) {
> diff --git a/tests/ofp-actions.at b/tests/ofp-actions.at
> index 59093c03c..ef4898abb 100644
> --- a/tests/ofp-actions.at
> +++ b/tests/ofp-actions.at
> @@ -1144,4 +1144,10 @@ bad_action 'apply_actions' 'apply_actions is the default instruction'
> bad_action 'xyzzy' 'unknown action xyzzy'
> bad_action 'drop,3' '"drop" must not be accompanied by any other action or instruction'
>
> +# Too many actions
> +writes=$(printf 'write_actions(%.0s' $(seq 100))
> +bad_action "${writes}" 'Action nested too deeply'
> +outputs=$(printf '1,%.0s' $(seq 4096))
> +bad_action "${outputs}" 'input too big'
> +
> AT_CLEANUP
>
More information about the dev
mailing list