ofp-actions: Fix buffer overread in decode_LEARN_specs().

The length check was wrong for immediate arguments to "learn" actions. Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9047 Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Justin Pettit <jpettit@ovn.org>
openvswitch · Jul 5, 2018 · ba8a319 · ba8a319
1 parent d46c43b
commit ba8a319
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/lib/ofp-actions.c b/lib/ofp-actions.c
@@ -3736,7 +3736,7 @@ learn_min_len(uint16_t header)
         min_len += sizeof(ovs_be32); /* src_field */
         min_len += sizeof(ovs_be16); /* src_ofs */
     } else {
-        min_len += DIV_ROUND_UP(n_bits, 16);
+        min_len += 2 * DIV_ROUND_UP(n_bits, 16);
     }
     if (dst_type == NX_LEARN_DST_MATCH ||
         dst_type == NX_LEARN_DST_LOAD) {