ofp-actions: Avoid overflow for ofpact_learn_spec->n_bits

ofpact_learn_spec->n_bits is the size of immediate data that is
following ofpact_learn_spec. Now it is defined as 'uint8_t'.
In many places, it gets its value directly from mf_subfield->n_bits,
whose type is 'unsigned int'. If input is large enough, there will
be uint8_t overflow.

For example, the following command will make ovs-ofctl crash:
ovs-ofctl add-flow br0 "table=0, priority=0, action=learn(limit=20  tun_metadata15=0x60ff00000000000003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002fffffffffffffff0ffffffffffffffffffffffffffff)"

This patch fixies this issue by changing type of ofpact_learn_spec->n_bits
from uint8_t to uint32_t.

Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11870
Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>

1 files changed, 1 insertions, 1 deletions

diff --git a/include/openvswitch/ofp-actions.h b/include/openvswitch/ofp-actions.h
index 4daf5ad07..caaa37c05 100644
--- a/include/openvswitch/ofp-actions.h
+++ b/include/openvswitch/ofp-actions.h
@@ -799,7 +799,7 @@ struct ofpact_learn_spec {
                                     * NX_LEARN_DST_LOAD only. */
         uint16_t src_type;         /* One of NX_LEARN_SRC_*. */
         uint16_t dst_type;         /* One of NX_LEARN_DST_*. */
-        uint8_t n_bits;            /* Number of bits in source and dest. */
+        uint32_t n_bits;           /* Number of bits in source and dest. */
     );
     /* Followed by 'DIV_ROUND_UP(n_bits, 8)' bytes of immediate data for
      * match 'dst_type's NX_LEARN_DST_MATCH and NX_LEARN_DST_LOAD when