odp-util: Use flexible sized buffer to hold Geneve options.

The 'mask' buffer in parse_odp_action() is supposed to always be big
enough:
        /* 'mask' is big enough to hold any key. */

Geneve options can be really big and the comment was wrong.  In addition,
the user might supply more options than can really fit in any case, so
we might as well just use a stub.

Found by libfuzzer.

Reported-by: Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de>
Signed-off-by: Ben Pfaff <blp@ovn.org>

1 files changed, 5 insertions, 5 deletions

diff --git a/lib/odp-util.c b/lib/odp-util.c
index f14cbeae8..4015fc084 100644
--- a/lib/odp-util.c
+++ b/lib/odp-util.c
@@ -1606,20 +1606,19 @@ parse_odp_action(const char *s, const struct simap *port_names,
     if (!strncmp(s, "set(", 4)) {
         size_t start_ofs;
         int retval;
-        struct nlattr mask[128 / sizeof(struct nlattr)];
-        struct ofpbuf maskbuf;
+        struct nlattr mask[1024 / sizeof(struct nlattr)];
+        struct ofpbuf maskbuf = OFPBUF_STUB_INITIALIZER(mask);
         struct nlattr *nested, *key;
         size_t size;
 
-        /* 'mask' is big enough to hold any key. */
-        ofpbuf_use_stack(&maskbuf, mask, sizeof mask);
-
         start_ofs = nl_msg_start_nested(actions, OVS_ACTION_ATTR_SET);
         retval = parse_odp_key_mask_attr(s + 4, port_names, actions, &maskbuf);
         if (retval < 0) {
+            ofpbuf_uninit(&maskbuf);
             return retval;
         }
         if (s[retval + 4] != ')') {
+            ofpbuf_uninit(&maskbuf);
             return -EINVAL;
         }
 
@@ -1637,6 +1636,7 @@ parse_odp_action(const char *s, const struct simap *port_names,
                 nested->nla_type = OVS_ACTION_ATTR_SET_MASKED;
             }
         }
+        ofpbuf_uninit(&maskbuf);
 
         nl_msg_end_nested(actions, start_ofs);
         return retval + 5;