From patchwork Wed Aug 15 22:03:43 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ben Pfaff <blp@ovn.org>
X-Patchwork-Id: 958054
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=openvswitch.org
	(client-ip=140.211.169.12; helo=mail.linuxfoundation.org;
	envelope-from=ovs-dev-bounces@openvswitch.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=none (p=none dis=none) header.from=ovn.org
Received: from mail.linuxfoundation.org (mail.linuxfoundation.org
	[140.211.169.12])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 41rNlb4Rbhz9sBq
	for <incoming@patchwork.ozlabs.org>;
	Thu, 16 Aug 2018 08:03:55 +1000 (AEST)
Received: from mail.linux-foundation.org (localhost [127.0.0.1])
	by mail.linuxfoundation.org (Postfix) with ESMTP id D84B0D54;
	Wed, 15 Aug 2018 22:03:52 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@mail.linuxfoundation.org
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id CD2F6D21
	for <dev@openvswitch.org>; Wed, 15 Aug 2018 22:03:50 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net
	[217.70.183.196])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 35F357CA
	for <dev@openvswitch.org>; Wed, 15 Aug 2018 22:03:49 +0000 (UTC)
X-Originating-IP: 208.91.3.26
Received: from sigabrt.benpfaff.org (unknown [208.91.3.26])
	(Authenticated sender: blp@ovn.org)
	by relay4-d.mail.gandi.net (Postfix) with ESMTPSA id 57AA9E0003;
	Wed, 15 Aug 2018 22:03:46 +0000 (UTC)
From: Ben Pfaff <blp@ovn.org>
To: dev@openvswitch.org
Date: Wed, 15 Aug 2018 15:03:43 -0700
Message-Id: <20180815220343.25909-1-blp@ovn.org>
X-Mailer: git-send-email 2.16.1
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_LOW
	autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
Cc: Ben Pfaff <blp@ovn.org>
Subject: [ovs-dev] [PATCH] ofp-ed-props: Fix hang for crafted OpenFlow
	encap/decap properties.
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
	<mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
	<mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
MIME-Version: 1.0
Sender: ovs-dev-bounces@openvswitch.org
Errors-To: ovs-dev-bounces@openvswitch.org

decode_ed_prop() accepted encap/decap properties with a reported length of
0, without consuming any data from the property list, which yielded an
infinite loop.

Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9918
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Darrell Ball<dlu998@gmail.com>
---
 lib/ofp-ed-props.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/ofp-ed-props.c b/lib/ofp-ed-props.c
index 901da2f0dd1b..28382e01235c 100644
--- a/lib/ofp-ed-props.c
+++ b/lib/ofp-ed-props.c
@@ -35,7 +35,7 @@ decode_ed_prop(const struct ofp_ed_prop_header **ofp_prop,
     size_t len = (*ofp_prop)->len;
     size_t pad_len = ROUND_UP(len, 8);
 
-    if (pad_len > *remaining) {
+    if (len < sizeof **ofp_prop || pad_len > *remaining) {
         return OFPERR_OFPBAC_BAD_LEN;
     }