On Wed, Aug 15, 2018 at 3:03 PM, Ben Pfaff <b...@ovn.org> wrote:
> decode_ed_prop() accepted encap/decap properties with a reported length of
> 0, without consuming any data from the property list, which yielded an
> infinite loop.
>
> Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9918
> Signed-off-by: Ben Pfaff <b...@ovn.org>
> ---
> lib/ofp-ed-props.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/lib/ofp-ed-props.c b/lib/ofp-ed-props.c
> index 901da2f0dd1b..28382e01235c 100644
> --- a/lib/ofp-ed-props.c
> +++ b/lib/ofp-ed-props.c
> @@ -35,7 +35,7 @@ decode_ed_prop(const struct ofp_ed_prop_header
> **ofp_prop,
size_t len = (*ofp_prop)->len;
> size_t pad_len = ROUND_UP(len, 8);
>
> - if (pad_len > *remaining) {
> + if (len < sizeof **ofp_prop || pad_len > *remaining) {
>
Is *remaining > pad_len valid ?
If it is, which is not intuitive, maybe a comment will help ?
> return OFPERR_OFPBAC_BAD_LEN;
> }
>
> --
> 2.16.1
>
> _______________________________________________
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
