Skip to content
Permalink
Browse files

ofp-actions: Avoid buffer overread in BUNDLE action decoding.

Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9052
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Justin Pettit <jpettit@ovn.org>
  • Loading branch information
blp committed Jun 25, 2018
1 parent 7521e0c commit 5026a263d7846077eee540de42192d27da513226
Showing with 7 additions and 6 deletions.
  1. +7 −6 lib/ofp-actions.c
@@ -1380,12 +1380,13 @@ decode_bundle(bool load, const struct nx_action_bundle *nab,
load ? "bundle_load" : "bundle", slaves_size,
bundle->n_slaves * sizeof(ovs_be16), bundle->n_slaves);
error = OFPERR_OFPBAC_BAD_LEN;
}

for (i = 0; i < bundle->n_slaves; i++) {
ofp_port_t ofp_port = u16_to_ofp(ntohs(((ovs_be16 *)(nab + 1))[i]));
ofpbuf_put(ofpacts, &ofp_port, sizeof ofp_port);
bundle = ofpacts->header;
} else {
for (i = 0; i < bundle->n_slaves; i++) {
ofp_port_t ofp_port
= u16_to_ofp(ntohs(((ovs_be16 *)(nab + 1))[i]));
ofpbuf_put(ofpacts, &ofp_port, sizeof ofp_port);
bundle = ofpacts->header;
}
}

ofpact_finish_BUNDLE(ofpacts, &bundle);

0 comments on commit 5026a26

Please sign in to comment.
You can’t perform that action at this time.