Skip to content
Permalink
Browse files Browse the repository at this point in the history
ofp-actions: Avoid buffer overread in BUNDLE action decoding.
Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9052
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Justin Pettit <jpettit@ovn.org>
  • Loading branch information
blp committed Jul 5, 2018
1 parent 572840a commit 9237a63
Showing 1 changed file with 7 additions and 6 deletions.
13 changes: 7 additions & 6 deletions lib/ofp-actions.c
Expand Up @@ -1357,12 +1357,13 @@ decode_bundle(bool load, const struct nx_action_bundle *nab,
load ? "bundle_load" : "bundle", slaves_size,
bundle->n_slaves * sizeof(ovs_be16), bundle->n_slaves);
error = OFPERR_OFPBAC_BAD_LEN;
}

for (i = 0; i < bundle->n_slaves; i++) {
ofp_port_t ofp_port = u16_to_ofp(ntohs(((ovs_be16 *)(nab + 1))[i]));
ofpbuf_put(ofpacts, &ofp_port, sizeof ofp_port);
bundle = ofpacts->header;
} else {
for (i = 0; i < bundle->n_slaves; i++) {
ofp_port_t ofp_port
= u16_to_ofp(ntohs(((ovs_be16 *)(nab + 1))[i]));
ofpbuf_put(ofpacts, &ofp_port, sizeof ofp_port);
bundle = ofpacts->header;
}
}

ofpact_finish_BUNDLE(ofpacts, &bundle);
Expand Down

1 comment on commit 9237a63

@abergmann
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've contacted MITRE and they have assigned CVE-2018-17206 to this issue.

Please sign in to comment.