diff options
author | Ilya Maximets <i.maximets@ovn.org> | 2020-12-21 16:01:04 +0100 |
---|---|---|
committer | Ilya Maximets <i.maximets@ovn.org> | 2020-12-22 00:25:04 +0100 |
commit | 55f2b065acd477a6810d5279fcace8b42bd594f5 (patch) | |
tree | c92b521e44f818d453ae74e29c180f7f4567f888 /ofproto/ofproto-dpif-xlate.c | |
parent | c5b4b0ce95a31f1a2fadc8eecd8027434357b9eb (diff) | |
download | openvswitch-55f2b065acd477a6810d5279fcace8b42bd594f5.tar.gz |
odp-util: Fix netlink message overflow with userdata.
Too big userdata could overflow netlink message leading to out-of-bound
memory accesses or assertion while formatting nested actions.
Fix that by checking the size and returning correct error code.
Credit to OSS-Fuzz.
Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27640
Fixes: e995e3df57ea ("Allow OVS_USERSPACE_ATTR_USERDATA to be variable length.")
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Acked-by: Flavio Leitner <fbl@sysclose.org>
Diffstat (limited to 'ofproto/ofproto-dpif-xlate.c')
-rw-r--r-- | ofproto/ofproto-dpif-xlate.c | 13 |
1 files changed, 6 insertions, 7 deletions
diff --git a/ofproto/ofproto-dpif-xlate.c b/ofproto/ofproto-dpif-xlate.c index 4ea776052..2715a142b 100644 --- a/ofproto/ofproto-dpif-xlate.c +++ b/ofproto/ofproto-dpif-xlate.c @@ -3223,12 +3223,11 @@ compose_sample_action(struct xlate_ctx *ctx, odp_port_t odp_port = ofp_port_to_odp_port( ctx->xbridge, ctx->xin->flow.in_port.ofp_port); uint32_t pid = dpif_port_get_pid(ctx->xbridge->dpif, odp_port); - size_t cookie_offset = odp_put_userspace_action(pid, cookie, - sizeof *cookie, - tunnel_out_port, - include_actions, - ctx->odp_actions); - + size_t cookie_offset; + int res = odp_put_userspace_action(pid, cookie, sizeof *cookie, + tunnel_out_port, include_actions, + ctx->odp_actions, &cookie_offset); + ovs_assert(res == 0); if (is_sample) { nl_msg_end_nested(ctx->odp_actions, actions_offset); nl_msg_end_nested(ctx->odp_actions, sample_offset); @@ -4832,7 +4831,7 @@ put_controller_user_action(struct xlate_ctx *ctx, ctx->xin->flow.in_port.ofp_port); uint32_t pid = dpif_port_get_pid(ctx->xbridge->dpif, odp_port); odp_put_userspace_action(pid, &cookie, sizeof cookie, ODPP_NONE, - false, ctx->odp_actions); + false, ctx->odp_actions, NULL); } static void |