Skip to content

Commit

Permalink
ofp-actions: Fix buffer overread in decode_LEARN_specs().
Browse files Browse the repository at this point in the history 
The length check was wrong for immediate arguments to "learn" actions.

Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9047
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Justin Pettit <jpettit@ovn.org>
  • Loading branch information
@blp
blp committed Jul 5, 2018
1 parent 20626d3 commit 6e22b8f
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion lib/ofp-actions.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4841,7 +4841,7 @@ learn_min_len(uint16_t header)
min_len += sizeof(ovs_be32); /* src_field */
min_len += sizeof(ovs_be16); /* src_ofs */
} else {
min_len += DIV_ROUND_UP(n_bits, 16);
min_len += 2 * DIV_ROUND_UP(n_bits, 16);
}
if (dst_type == NX_LEARN_DST_MATCH ||
dst_type == NX_LEARN_DST_LOAD) {
Expand Down

0 comments on commit 6e22b8f

Please sign in to comment.