diff options
| author | Ilya Maximets <i.maximets@ovn.org> | 2021-06-16 22:34:48 +0200 |
|---|---|---|
| committer | Ilya Maximets <i.maximets@ovn.org> | 2021-07-07 22:48:05 +0200 |
| commit | b57b062f5d514f33ba843884c4a3a8aad80b6b04 (patch) | |
| tree | adf9a2adfe889b8825b730d4fb3bf4bdd8ac1a2e | |
| parent | b30bfb6b8db19c8696592ed325e64ed208bc4438 (diff) | |
| download | openvswitch-b57b062f5d514f33ba843884c4a3a8aad80b6b04.tar.gz | |
ofp-actions: Report an error if there are too many actions to parse.
Not a very important fix, but fuzzer times out trying to test parsing
of a huge number of actions. Fixing that by reporting an error as
soon as ofpacts oversized.
It would be great to use ofpbuf_oversized() function instead of manual
size checking, but ofpacts->header here always points to the last
pushed action, so the value that ofpbuf_oversized() would check is
always small.
Adding a unit test for this, plus the extra test for too deep nesting.
Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20254
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Acked-by: Alin-Gabriel Serdean <aserdean@ovn.org>
| -rw-r--r-- | lib/ofp-actions.c | 4 | ||||
| -rw-r--r-- | tests/ofp-actions.at | 6 |
2 files changed, 10 insertions, 0 deletions
diff --git a/lib/ofp-actions.c b/lib/ofp-actions.c index 6fb3da507..ecf914eac 100644 --- a/lib/ofp-actions.c +++ b/lib/ofp-actions.c @@ -9326,6 +9326,7 @@ static char * OVS_WARN_UNUSED_RESULT ofpacts_parse__(char *str, const struct ofpact_parse_params *pp, bool allow_instructions, enum ofpact_type outer_action) { + uint32_t orig_size = pp->ofpacts->size; char *key, *value; bool drop = false; char *pos; @@ -9370,6 +9371,9 @@ ofpacts_parse__(char *str, const struct ofpact_parse_params *pp, if (error) { return error; } + if (pp->ofpacts->size - orig_size > UINT16_MAX) { + return xasprintf("input too big"); + } } if (drop && pp->ofpacts->size) { diff --git a/tests/ofp-actions.at b/tests/ofp-actions.at index 59093c03c..ef4898abb 100644 --- a/tests/ofp-actions.at +++ b/tests/ofp-actions.at @@ -1144,4 +1144,10 @@ bad_action 'apply_actions' 'apply_actions is the default instruction' bad_action 'xyzzy' 'unknown action xyzzy' bad_action 'drop,3' '"drop" must not be accompanied by any other action or instruction' +# Too many actions +writes=$(printf 'write_actions(%.0s' $(seq 100)) +bad_action "${writes}" 'Action nested too deeply' +outputs=$(printf '1,%.0s' $(seq 4096)) +bad_action "${outputs}" 'input too big' + AT_CLEANUP |