ofp-actions: Set an action depth limit to prevent stackoverflow by of…

…pacts_parse Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12557 Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
openvswitch · Feb 4, 2019 · 1f886f0 · 1f886f0
1 parent 561ac83
commit 1f886f0
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/include/openvswitch/ofp-actions.h b/include/openvswitch/ofp-actions.h
@@ -1175,7 +1175,11 @@ struct ofpact_parse_params {
     /* Output. */
     struct ofpbuf *ofpacts;
     enum ofputil_protocol *usable_protocols;
+
+    /* Parse context. */
+    unsigned int depth;
 };
+#define MAX_OFPACT_PARSE_DEPTH 100
 char *ofpacts_parse_actions(const char *, const struct ofpact_parse_params *)
     OVS_WARN_UNUSED_RESULT;
 char *ofpacts_parse_instructions(const char *,

diff --git a/lib/ofp-actions.c b/lib/ofp-actions.c
@@ -9062,11 +9062,16 @@ static char * OVS_WARN_UNUSED_RESULT
 ofpacts_parse(char *str, const struct ofpact_parse_params *pp,
               bool allow_instructions, enum ofpact_type outer_action)
 {
+    if (pp->depth >= MAX_OFPACT_PARSE_DEPTH) {
+        return xstrdup("Action nested too deeply");
+    }
+    CONST_CAST(struct ofpact_parse_params *, pp)->depth++;
     uint32_t orig_size = pp->ofpacts->size;
     char *error = ofpacts_parse__(str, pp, allow_instructions, outer_action);
     if (error) {
         pp->ofpacts->size = orig_size;
     }
+    CONST_CAST(struct ofpact_parse_params *, pp)->depth--;
     return error;
 }