From: Gurucharan Shetty <gshetty@nicira.com>
Date: Fri, 22 Mar 2013 23:25:36 +0000 (-0700)
Subject: odp-utils: Fix memory corruption while flow parsing.
X-Git-Tag: sliver-openvswitch-1.10.90-1~10^2~38
X-Git-Url: http://git.onelab.eu/?p=sliver-openvswitch.git;a=commitdiff_plain;h=2aef12142500cd9db13d23df7155518cdab2e353

odp-utils: Fix memory corruption while flow parsing.

Currently, when flow attribute type is greater than OVS_KEY_ATTR_MAX,
we can write into a random memory address causing corruption. Fix it.

Bug #15702.
Signed-off-by: Gurucharan Shetty <gshetty@nicira.com>
---

diff --git a/lib/odp-util.c b/lib/odp-util.c
index f9e9321ba..751c1c923 100644
--- a/lib/odp-util.c
+++ b/lib/odp-util.c
@@ -1714,6 +1714,7 @@ parse_flow_nlattrs(const struct nlattr *key, size_t key_len,
     uint64_t present_attrs;
     size_t left;
 
+    BUILD_ASSERT(OVS_KEY_ATTR_MAX < CHAR_BIT * sizeof present_attrs);
     present_attrs = 0;
     *out_of_range_attrp = 0;
     NL_ATTR_FOR_EACH (nla, left, key, key_len) {
@@ -1728,7 +1729,7 @@ parse_flow_nlattrs(const struct nlattr *key, size_t key_len,
             return false;
         }
 
-        if (type >= CHAR_BIT * sizeof present_attrs) {
+        if (type > OVS_KEY_ATTR_MAX) {
             *out_of_range_attrp = type;
         } else {
             if (present_attrs & (UINT64_C(1) << type)) {