On Wed, Aug 15, 2018 at 3:03 PM, Ben Pfaff <b...@ovn.org> wrote: > decode_ed_prop() accepted encap/decap properties with a reported length of > 0, without consuming any data from the property list, which yielded an > infinite loop. > > Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9918 > Signed-off-by: Ben Pfaff <b...@ovn.org> > --- > lib/ofp-ed-props.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/lib/ofp-ed-props.c b/lib/ofp-ed-props.c > index 901da2f0dd1b..28382e01235c 100644 > --- a/lib/ofp-ed-props.c > +++ b/lib/ofp-ed-props.c > @@ -35,7 +35,7 @@ decode_ed_prop(const struct ofp_ed_prop_header > **ofp_prop,
size_t len = (*ofp_prop)->len; > size_t pad_len = ROUND_UP(len, 8); > > - if (pad_len > *remaining) { > + if (len < sizeof **ofp_prop || pad_len > *remaining) { > Is *remaining > pad_len valid ? If it is, which is not intuitive, maybe a comment will help ? > return OFPERR_OFPBAC_BAD_LEN; > } > > -- > 2.16.1 > > _______________________________________________ > dev mailing list > d...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev