diff options
author | Ben Pfaff <blp@ovn.org> | 2018-06-25 11:50:51 -0700 |
---|---|---|
committer | Ben Pfaff <blp@ovn.org> | 2018-07-05 15:09:55 -0700 |
commit | 2178af6ff4f36db036dd6de23af3fd3bfaefea34 (patch) | |
tree | 80619395a611a7d63797697ef617456b98b530e9 | |
parent | e1b5444c2f2ed4bda2c75597468f067ae104319d (diff) | |
download | openvswitch-2178af6ff4f36db036dd6de23af3fd3bfaefea34.tar.gz |
ofp-actions: Fix buffer overread in decode_LEARN_specs().
The length check was wrong for immediate arguments to "learn" actions.
Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9047
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Justin Pettit <jpettit@ovn.org>
-rw-r--r-- | lib/ofp-actions.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/ofp-actions.c b/lib/ofp-actions.c index 16e5b3986..7b1aef2a1 100644 --- a/lib/ofp-actions.c +++ b/lib/ofp-actions.c @@ -3957,7 +3957,7 @@ learn_min_len(uint16_t header) min_len += sizeof(ovs_be32); /* src_field */ min_len += sizeof(ovs_be16); /* src_ofs */ } else { - min_len += DIV_ROUND_UP(n_bits, 16); + min_len += 2 * DIV_ROUND_UP(n_bits, 16); } if (dst_type == NX_LEARN_DST_MATCH || dst_type == NX_LEARN_DST_LOAD) { |