Skip to content

Commit 9237a63

Browse files
committed
ofp-actions: Avoid buffer overread in BUNDLE action decoding.
Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9052 Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Justin Pettit <jpettit@ovn.org>
1 parent 572840a commit 9237a63

File tree

1 file changed

+7
-6
lines changed

1 file changed

+7
-6
lines changed

Diff for: lib/ofp-actions.c

+7-6
Original file line numberDiff line numberDiff line change
@@ -1357,12 +1357,13 @@ decode_bundle(bool load, const struct nx_action_bundle *nab,
13571357
load ? "bundle_load" : "bundle", slaves_size,
13581358
bundle->n_slaves * sizeof(ovs_be16), bundle->n_slaves);
13591359
error = OFPERR_OFPBAC_BAD_LEN;
1360-
}
1361-
1362-
for (i = 0; i < bundle->n_slaves; i++) {
1363-
ofp_port_t ofp_port = u16_to_ofp(ntohs(((ovs_be16 *)(nab + 1))[i]));
1364-
ofpbuf_put(ofpacts, &ofp_port, sizeof ofp_port);
1365-
bundle = ofpacts->header;
1360+
} else {
1361+
for (i = 0; i < bundle->n_slaves; i++) {
1362+
ofp_port_t ofp_port
1363+
= u16_to_ofp(ntohs(((ovs_be16 *)(nab + 1))[i]));
1364+
ofpbuf_put(ofpacts, &ofp_port, sizeof ofp_port);
1365+
bundle = ofpacts->header;
1366+
}
13661367
}
13671368

13681369
ofpact_finish_BUNDLE(ofpacts, &bundle);

0 commit comments

Comments
 (0)