Commit 1fce5274 authored by Joe Stringer's avatar Joe Stringer

ofp-actions: Prevent integer overflow in decode.

Upstream commit 5308056f.

When decoding a variable-length action, if the length of the action
exceeds the length storable in a uint16_t then something has gone
terribly wrong. Assert that this is not the case.
Signed-off-by: default avatarJoe Stringer <joe@ovn.org>
Acked-by: default avatarJarno Rajahalme <jarno@ovn.org>
parent 0bdf8e23
......@@ -6205,8 +6205,12 @@ ofpact_init(struct ofpact *ofpact, enum ofpact_type type, size_t len)
void
ofpact_update_len(struct ofpbuf *ofpacts, struct ofpact *ofpact)
{
ptrdiff_t len;
ovs_assert(ofpact == ofpacts->header);
ofpact->len = (char *) ofpbuf_tail(ofpacts) - (char *) ofpact;
len = (char *) ofpbuf_tail(ofpacts) - (char *) ofpact;
ovs_assert(len <= UINT16_MAX);
ofpact->len = len;
}
/* Pads out 'ofpacts' to a multiple of OFPACT_ALIGNTO bytes in length. Each
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment