diff options
author | Toms Atteka <cpp.code.lv@gmail.com> | 2019-03-20 13:40:19 -0700 |
---|---|---|
committer | Ben Pfaff <blp@ovn.org> | 2019-03-26 14:12:37 -0700 |
commit | 8e738337a2c25c3d6ede2829d6ffd9af6bcd36a5 (patch) | |
tree | 691eeb76026dfd7410ceddf1555548718c5304e4 /include/openvswitch | |
parent | 723b6ab2df688b8bfe2fd5e3e2275749040a616c (diff) | |
download | openvswitch-8e738337a2c25c3d6ede2829d6ffd9af6bcd36a5.tar.gz |
lib: added check to prevent int overflow
If enough large input is given ofpact_finish will fail.
Implemented ofpbuf_oversized function to check for oversized
buffer. Checks were added for parse functions and error messages
returned.
Basic manual testing performed.
Reviewed-by: Yifeng Sun <pkusunyifeng@gmail.com>
Reported-by: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12972
Signed-off-by: Toms Atteka <cpp.code.lv@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Diffstat (limited to 'include/openvswitch')
-rw-r--r-- | include/openvswitch/ofpbuf.h | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/include/openvswitch/ofpbuf.h b/include/openvswitch/ofpbuf.h index e4cf0883c..1136ba04c 100644 --- a/include/openvswitch/ofpbuf.h +++ b/include/openvswitch/ofpbuf.h @@ -162,6 +162,7 @@ char *ofpbuf_to_string(const struct ofpbuf *, size_t maxbytes); static inline struct ofpbuf *ofpbuf_from_list(const struct ovs_list *); void ofpbuf_list_delete(struct ovs_list *); static inline bool ofpbuf_equal(const struct ofpbuf *, const struct ofpbuf *); +static inline bool ofpbuf_oversized(const struct ofpbuf *ofpacts); /* Frees memory that 'b' points to, as well as 'b' itself. */ @@ -272,6 +273,11 @@ static inline bool ofpbuf_equal(const struct ofpbuf *a, const struct ofpbuf *b) memcmp(a->data, b->data, a->size) == 0; } +static inline bool ofpbuf_oversized(const struct ofpbuf *ofpacts) +{ + return (char *)ofpbuf_tail(ofpacts) - (char *)ofpacts->header > UINT16_MAX; +} + #ifdef __cplusplus } #endif |