[ovs-git] [openvswitch/ovs] 8ad7c1: ofp-actions: Avoid overflow for ofpact_learn_spec-...
GitHub
noreply at github.com
Thu Jan 17 18:07:27 UTC 2019
Branch: refs/heads/branch-2.10
Home: https://github.com/openvswitch/ovs
Commit: 8ad7c1f274c68336dc26b7c5eca2c2ef1ad44dfb
https://github.com/openvswitch/ovs/commit/8ad7c1f274c68336dc26b7c5eca2c2ef1ad44dfb
Author: Yifeng Sun <pkusunyifeng at gmail.com>
Date: 2019-01-17 (Thu, 17 Jan 2019)
Changed paths:
M include/openvswitch/ofp-actions.h
Log Message:
-----------
ofp-actions: Avoid overflow for ofpact_learn_spec->n_bits
ofpact_learn_spec->n_bits is the size of immediate data that is
following ofpact_learn_spec. Now it is defined as 'uint8_t'.
In many places, it gets its value directly from mf_subfield->n_bits,
whose type is 'unsigned int'. If input is large enough, there will
be uint8_t overflow.
For example, the following command will make ovs-ofctl crash:
ovs-ofctl add-flow br0 "table=0, priority=0, action=learn(limit=20 tun_metadata15=0x60ff00000000000003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002fffffffffffffff0ffffffffffffffffffffffffffff)"
This patch fixies this issue by changing type of ofpact_learn_spec->n_bits
from uint8_t to uint32_t.
Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11870
Signed-off-by: Yifeng Sun <pkusunyifeng at gmail.com>
Signed-off-by: Ben Pfaff <blp at ovn.org>
**NOTE:** This service has been marked for deprecation: https://developer.github.com/changes/2018-04-25-github-services-deprecation/
Functionality will be removed from GitHub.com on January 31st, 2019.
More information about the git
mailing list