ofpbuf_put_hex doesn't know buf's length and only checks buf's content to process. This is dangerous. This patch fixes it.
Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10865 Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10863 Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10855 Signed-off-by: Yifeng Sun <pkusunyif...@gmail.com> --- lib/odp-util.c | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/odp-util.c b/lib/odp-util.c index 7705bb30ae21..d482d5bcf968 100644 --- a/lib/odp-util.c +++ b/lib/odp-util.c @@ -2107,6 +2107,7 @@ parse_odp_push_nsh_action(const char *s, struct ofpbuf *actions) if (ovs_scan_len(s, &n, "md2=0x%511[0-9a-fA-F]", buf)) { ofpbuf_use_stub(&b, metadata, NSH_CTX_HDRS_MAX_LEN); + buf[n - 6] = '\0'; ofpbuf_put_hex(&b, buf, &mdlen); /* Pad metadata to 4 bytes. */ padding = PAD_SIZE(mdlen, 4); -- 2.7.4 _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev