Previously, the buffer size of 'struct ofpbuf b' is less than the size of 'char buf[512]', this could cause memory overflow of ofpbuf when calling ofpbuf_put_hex. This patch fixes it.
Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10865 Signed-off-by: Yifeng Sun <pkusunyif...@gmail.com> --- lib/odp-util.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/odp-util.c b/lib/odp-util.c index 627baaa397ed..bb6669b37af9 100644 --- a/lib/odp-util.c +++ b/lib/odp-util.c @@ -2111,9 +2111,9 @@ parse_odp_push_nsh_action(const char *s, struct ofpbuf *actions) struct ofpbuf b; char buf[512]; size_t mdlen, padding; - if (ovs_scan_len(s, &n, "md2=0x%511[0-9a-fA-F]", buf)) { - ofpbuf_use_stub(&b, metadata, - NSH_CTX_HDRS_MAX_LEN); + if (ovs_scan_len(s, &n, "md2=0x%511[0-9a-fA-F]", buf) + && n/2 <= sizeof metadata) { + ofpbuf_use_stub(&b, metadata, sizeof metadata); ofpbuf_put_hex(&b, buf, &mdlen); /* Pad metadata to 4 bytes. */ padding = PAD_SIZE(mdlen, 4); -- 2.7.4 _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev