odp-util: Use flexible sized buffer to hold Geneve options.

The 'mask' buffer in parse_odp_action() is supposed to always be big enough: /* 'mask' is big enough to hold any key. */ Geneve options can be really big and the comment was wrong. In addition, the user might supply more options than can really fit in any case, so we might as well just use a stub. Found by libfuzzer. Reported-by: Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de> Signed-off-by: Ben Pfaff <blp@ovn.org>
openvswitch · Dec 22, 2017 · 0e74b8c · 0e74b8c
1 parent bd0a6b6
commit 0e74b8c
Showing 1 changed file with 5 additions and 5 deletions.
diff --git a/lib/odp-util.c b/lib/odp-util.c
@@ -1582,20 +1582,19 @@ parse_odp_action(const char *s, const struct simap *port_names,
     if (!strncmp(s, "set(", 4)) {
         size_t start_ofs;
         int retval;
-        struct nlattr mask[128 / sizeof(struct nlattr)];
-        struct ofpbuf maskbuf;
+        struct nlattr mask[1024 / sizeof(struct nlattr)];
+        struct ofpbuf maskbuf = OFPBUF_STUB_INITIALIZER(mask);
         struct nlattr *nested, *key;
         size_t size;
 
-        /* 'mask' is big enough to hold any key. */
-        ofpbuf_use_stack(&maskbuf, mask, sizeof mask);
-
         start_ofs = nl_msg_start_nested(actions, OVS_ACTION_ATTR_SET);
         retval = parse_odp_key_mask_attr(s + 4, port_names, actions, &maskbuf);
         if (retval < 0) {
+            ofpbuf_uninit(&maskbuf);
             return retval;
         }
         if (s[retval + 4] != ')') {
+            ofpbuf_uninit(&maskbuf);
             return -EINVAL;
         }
 
@@ -1613,6 +1612,7 @@ parse_odp_action(const char *s, const struct simap *port_names,
                 nested->nla_type = OVS_ACTION_ATTR_SET_MASKED;
             }
         }
+        ofpbuf_uninit(&maskbuf);
 
         nl_msg_end_nested(actions, start_ofs);
         return retval + 5;