diff options
author | Joe Stringer <joe@ovn.org> | 2016-03-03 21:22:50 +1300 |
---|---|---|
committer | Joe Stringer <joe@ovn.org> | 2016-03-03 13:55:07 -0800 |
commit | 5308056f53406e75d211f73a2847f9ebdf9c91c8 (patch) | |
tree | f066d35d3f177f0f894a69572847d1965818d671 /lib/ofp-actions.c | |
parent | 19b58f3cbcb3191432eefba3a504376399cc07a7 (diff) | |
download | openvswitch-5308056f53406e75d211f73a2847f9ebdf9c91c8.tar.gz |
ofp-actions: Prevent integer overflow in decode.
When decoding a variable-length action, if the length of the action
exceeds the length storable in a uint16_t then something has gone
terribly wrong. Assert that this is not the case.
Signed-off-by: Joe Stringer <joe@ovn.org>
Acked-by: Jarno Rajahalme <jarno@ovn.org>
Diffstat (limited to 'lib/ofp-actions.c')
-rw-r--r-- | lib/ofp-actions.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/lib/ofp-actions.c b/lib/ofp-actions.c index fe1424f13..905469b6b 100644 --- a/lib/ofp-actions.c +++ b/lib/ofp-actions.c @@ -7401,8 +7401,12 @@ ofpact_init(struct ofpact *ofpact, enum ofpact_type type, size_t len) void ofpact_finish(struct ofpbuf *ofpacts, struct ofpact *ofpact) { + ptrdiff_t len; + ovs_assert(ofpact == ofpacts->header); - ofpact->len = (char *) ofpbuf_tail(ofpacts) - (char *) ofpact; + len = (char *) ofpbuf_tail(ofpacts) - (char *) ofpact; + ovs_assert(len <= UINT16_MAX); + ofpact->len = len; ofpbuf_padto(ofpacts, OFPACT_ALIGN(ofpacts->size)); } |