On Wed, Jan 16, 2019 at 02:37:08PM -0800, Yifeng Sun wrote: > ofpact_learn_spec->n_bits is the size of immediate data that is > following ofpact_learn_spec. Now it is defined as 'uint8_t'. > In many places, it gets its value directly from mf_subfield->n_bits, > whose type is 'unsigned int'. If input is large enough, there will > be uint8_t overflow. > > For example, the following command will make ovs-ofctl crash: > ovs-ofctl add-flow br0 "table=0, priority=0, action=learn(limit=20 > tun_metadata15=0x60ff00000000000003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002fffffffffffffff0ffffffffffffffffffffffffffff)" > > This patch fixies this issue by changing type of ofpact_learn_spec->n_bits > from uint8_t to uint32_t. > > Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11870 > Signed-off-by: Yifeng Sun <[email protected]>
Thanks, applied and backported. _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
