flow: Avoid buffer overread in parse_nsh() for malformed packet.

Found by libfuzzer. CC: Jan Scheurich <jan.scheurich@ericsson.com> Fixes: 7edef47 ("NSH: Minor bugfixes") Reported-by: Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de> Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Jan Scheurich <jan.scheurich@ericsson.com>
openvswitch · Nov 29, 2017 · e969b7a · e969b7a
1 parent 949b4f1
commit e969b7a
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/lib/flow.c b/lib/flow.c
@@ -553,7 +553,7 @@ parse_nsh(const void **datap, size_t *sizep, struct flow_nsh *key)
     /* NSH header length is in 4 byte words. */
     length = ((ver_flags_len & NSH_LEN_MASK) >> NSH_LEN_SHIFT) << 2;
 
-    if (version != 0) {
+    if (length > *sizep || version != 0) {
         return false;
     }