ofp-actions: Avoid buffer overread in BUNDLE action decoding.

Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9052 Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Justin Pettit <jpettit@ovn.org>
author: Ben Pfaff <blp@ovn.org> 2018-06-25 13:07:43 -0700
committer: Ben Pfaff <blp@ovn.org> 2018-07-05 15:09:04 -0700
commit: e1b5444c2f2ed4bda2c75597468f067ae104319d (patch)
tree: 1a7f268c4ed554e4359783a7a0fe4d68675a24e8
parent: cadae7bc1ffbcda376ee2e12bb05b5cac3966531 (diff)
download: openvswitch-e1b5444c2f2ed4bda2c75597468f067ae104319d.tar.gz
1 files changed, 7 insertions, 6 deletions
diff --git a/lib/ofp-actions.c b/lib/ofp-actions.c
index 36bbc00d2..16e5b3986 100644
--- a/lib/ofp-actions.c
+++ b/lib/ofp-actions.c
@@ -1081,12 +1081,13 @@ decode_bundle(bool load, const struct nx_action_bundle *nab,
                      load ? "bundle_load" : "bundle", slaves_size,
                      bundle->n_slaves * sizeof(ovs_be16), bundle->n_slaves);
         error = OFPERR_OFPBAC_BAD_LEN;
-    }
-
-    for (i = 0; i < bundle->n_slaves; i++) {
-        ofp_port_t ofp_port = u16_to_ofp(ntohs(((ovs_be16 *)(nab + 1))[i]));
-        ofpbuf_put(ofpacts, &ofp_port, sizeof ofp_port);
-        bundle = ofpacts->header;
+    } else {
+        for (i = 0; i < bundle->n_slaves; i++) {
+            ofp_port_t ofp_port
+                = u16_to_ofp(ntohs(((ovs_be16 *)(nab + 1))[i]));
+            ofpbuf_put(ofpacts, &ofp_port, sizeof ofp_port);
+            bundle = ofpacts->header;
+        }
     }
 
     ofpact_update_len(ofpacts, &bundle->ofpact);
author	Ben Pfaff <blp@ovn.org>	2018-06-25 13:07:43 -0700
committer	Ben Pfaff <blp@ovn.org>	2018-07-05 15:09:04 -0700
commit	e1b5444c2f2ed4bda2c75597468f067ae104319d (patch)
tree	1a7f268c4ed554e4359783a7a0fe4d68675a24e8
parent	cadae7bc1ffbcda376ee2e12bb05b5cac3966531 (diff)
download	openvswitch-e1b5444c2f2ed4bda2c75597468f067ae104319d.tar.gz