diff options
author | Ben Pfaff <blp@ovn.org> | 2018-06-25 13:07:43 -0700 |
---|---|---|
committer | Ben Pfaff <blp@ovn.org> | 2018-07-05 15:09:04 -0700 |
commit | e1b5444c2f2ed4bda2c75597468f067ae104319d (patch) | |
tree | 1a7f268c4ed554e4359783a7a0fe4d68675a24e8 | |
parent | cadae7bc1ffbcda376ee2e12bb05b5cac3966531 (diff) | |
download | openvswitch-e1b5444c2f2ed4bda2c75597468f067ae104319d.tar.gz |
ofp-actions: Avoid buffer overread in BUNDLE action decoding.
Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9052
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Justin Pettit <jpettit@ovn.org>
-rw-r--r-- | lib/ofp-actions.c | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/lib/ofp-actions.c b/lib/ofp-actions.c index 36bbc00d2..16e5b3986 100644 --- a/lib/ofp-actions.c +++ b/lib/ofp-actions.c @@ -1081,12 +1081,13 @@ decode_bundle(bool load, const struct nx_action_bundle *nab, load ? "bundle_load" : "bundle", slaves_size, bundle->n_slaves * sizeof(ovs_be16), bundle->n_slaves); error = OFPERR_OFPBAC_BAD_LEN; - } - - for (i = 0; i < bundle->n_slaves; i++) { - ofp_port_t ofp_port = u16_to_ofp(ntohs(((ovs_be16 *)(nab + 1))[i])); - ofpbuf_put(ofpacts, &ofp_port, sizeof ofp_port); - bundle = ofpacts->header; + } else { + for (i = 0; i < bundle->n_slaves; i++) { + ofp_port_t ofp_port + = u16_to_ofp(ntohs(((ovs_be16 *)(nab + 1))[i])); + ofpbuf_put(ofpacts, &ofp_port, sizeof ofp_port); + bundle = ofpacts->header; + } } ofpact_update_len(ofpacts, &bundle->ofpact); |