In the filed of ver_flags_ttl_len of struct nshhdr, there are only 6 bits that are used to indicate header's total length in 4-byte words. Therefore, the max value for total is 252 (63x4), instead of 256 used in present code base. This patch fixes it.
Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10855 Signed-off-by: Yifeng Sun <pkusunyif...@gmail.com> --- datapath/linux/compat/include/net/nsh.h | 4 ++-- include/openvswitch/nsh.h | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/datapath/linux/compat/include/net/nsh.h b/datapath/linux/compat/include/net/nsh.h index ff3733d9032d..76894910cfcb 100644 --- a/datapath/linux/compat/include/net/nsh.h +++ b/datapath/linux/compat/include/net/nsh.h @@ -247,10 +247,10 @@ struct nshhdr { #define NSH_M_TYPE1_LEN 24 /* NSH header maximum Length. */ -#define NSH_HDR_MAX_LEN 256 +#define NSH_HDR_MAX_LEN 252 /* NSH context headers maximum Length. */ -#define NSH_CTX_HDRS_MAX_LEN 248 +#define NSH_CTX_HDRS_MAX_LEN 244 static inline struct nshhdr *nsh_hdr(struct sk_buff *skb) { diff --git a/include/openvswitch/nsh.h b/include/openvswitch/nsh.h index 55f59d636e5a..afed932fcb75 100644 --- a/include/openvswitch/nsh.h +++ b/include/openvswitch/nsh.h @@ -263,10 +263,10 @@ struct nsh_hdr { #define NSH_M_TYPE1_LEN 24 /* NSH header maximum Length. */ -#define NSH_HDR_MAX_LEN 256 +#define NSH_HDR_MAX_LEN 252 /* NSH context headers maximum Length. */ -#define NSH_CTX_HDRS_MAX_LEN 248 +#define NSH_CTX_HDRS_MAX_LEN 244 static inline uint16_t nsh_hdr_len(const struct nsh_hdr *nsh) -- 2.7.4 _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
