Coverity complained that there's a chance that
ovn_datapath_type_from_string() returns a value >= DP_MAX in
lflow_table_sync_to_sb().
That's actually not possible, the report is a false positive, but to
make it explicit add an assert (as we do in other places that work on
datapaths that have been sanitized).
Coverity report:
CID 501213: (#1 of 1): Out-of-bounds read (OVERRUN)
overrun-local: Overrunning array of 336 bytes at byte offset
336 by dereferencing pointer &dps[dp_type].
Fixes: fd4762a8c9c3 ("lflow-mgr: Use an array for lflow dp groups.")
Signed-off-by: Dumitru Ceara <[email protected]>
---
northd/lflow-mgr.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/northd/lflow-mgr.c b/northd/lflow-mgr.c
index 17d1394d8e..e60d2d0e8f 100644
--- a/northd/lflow-mgr.c
+++ b/northd/lflow-mgr.c
@@ -292,6 +292,8 @@ lflow_table_sync_to_sb(struct lflow_table *lflow_table,
struct hmap *dp_groups;
enum ovn_datapath_type dp_type =
ovn_stage_to_datapath_type(lflow->stage);
+ ovs_assert(dp_type < DP_MAX);
+
dp_groups = &lflow_table->dp_groups[dp_type];
datapaths = &dps[dp_type];
sync_lflow_to_sb(lflow, ovnsb_txn, dp_groups, datapaths,
@@ -323,12 +325,16 @@ lflow_table_sync_to_sb(struct lflow_table *lflow_table,
if (dp) {
enum ovn_datapath_type dp_type =
ovn_datapath_type_from_string(datapath_get_nb_type(dp));
+ ovs_assert(dp_type < DP_MAX);
+
sdp = ovn_synced_datapath_from_sb(&dps[dp_type], dp);
}
for (i = 0; dp_group && i < dp_group->n_datapaths; i++) {
enum ovn_datapath_type dp_type =
ovn_datapath_type_from_string(datapath_get_nb_type(
dp_group->datapaths[i]));
+ ovs_assert(dp_type < DP_MAX);
+
sdp = ovn_synced_datapath_from_sb(&dps[dp_type],
dp_group->datapaths[i]);
if (sdp) {
--
2.52.0
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
