ofp-actions: Avoid overflow for ofpact_learn_spec->n_bits

ofpact_learn_spec->n_bits is the size of immediate data that is following ofpact_learn_spec. Now it is defined as 'uint8_t'. In many places, it gets its value directly from mf_subfield->n_bits, whose type is 'unsigned int'. If input is large enough, there will be uint8_t overflow. For example, the following command will make ovs-ofctl crash: ovs-ofctl add-flow br0 "table=0, priority=0, action=learn(limit=20 tun_metadata15=0x60ff00000000000003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002fffffffffffffff0ffffffffffffffffffffffffffff)" This patch fixies this issue by changing type of ofpact_learn_spec->n_bits from uint8_t to uint32_t. Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11870 Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
2025-09-05 00:35:33 +00:00 · 2019-01-16 14:37:08 -08:00
parent 2c2f4499a4
commit 8ed9df00b6
1 changed files with 1 additions and 1 deletions
--- a/include/openvswitch/ofp-actions.h
+++ b/include/openvswitch/ofp-actions.h
@@ -799,7 +799,7 @@ struct ofpact_learn_spec {
                                    * NX_LEARN_DST_LOAD only. */
        uint16_t src_type;         /* One of NX_LEARN_SRC_*. */
        uint16_t dst_type;         /* One of NX_LEARN_DST_*. */
-        uint8_t n_bits;            /* Number of bits in source and dest. */
+        uint32_t n_bits;           /* Number of bits in source and dest. */
    );
    /* Followed by 'DIV_ROUND_UP(n_bits, 8)' bytes of immediate data for
     * match 'dst_type's NX_LEARN_DST_MATCH and NX_LEARN_DST_LOAD when