odp-util: Fix buffer overread in parsing string form of ODP flows.

scan_u128() should return 0 on an error but it actually returned an errno value in some cases, so a command like this: ovs-appctl dpctl/add-flow 'ct_label(1/55555555555555555555555555)' '' could cause a buffer overread. This bug is not as severe as it may sound because the string form of ODP flows is not used over OpenFlow or OVSDB, only through the appctl interface that is normally used just by local system administrators and not exposed over a network. Reported-by: Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de> Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Joe Stringer <joe@ovn.org>
2025-08-31 14:25:26 +00:00 · 2017-11-26 17:34:59 -08:00
parent eeb0ca88e4
commit 2c53949260
1 changed files with 1 additions and 1 deletions
--- a/lib/odp-util.c
+++ b/lib/odp-util.c
@@ -3552,7 +3552,7 @@ scan_u128(const char *s_, ovs_u128 *value, ovs_u128 *mask)
                error = parse_int_string(s, (uint8_t *)&be_mask,
                                         sizeof be_mask, &s);
                if (error) {
-                    return error;
+                    return 0;
                }
                *mask = ntoh128(be_mask);
            } else {