odp-util: Fix buffer overread in parsing string form of ODP flows.

scan_u128() should return 0 on an error but it actually returned an errno
value in some cases, so a command like this:
    ovs-appctl dpctl/add-flow 'ct_label(1/55555555555555555555555555)' ''
could cause a buffer overread.

This bug is not as severe as it may sound because the string form of ODP
flows is not used over OpenFlow or OVSDB, only through the appctl interface
that is normally used just by local system administrators and not exposed
over a network.

Reported-by: Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Joe Stringer <joe@ovn.org>

diff --git a/lib/odp-util.c b/lib/odp-util.c
index b348ab680d9fb91a8c0164292d27aa2e83a3b624..45a890c46aa0ad264d2099a90e40494298fa0354 100644 (file)
--- a/lib/odp-util.c
+++ b/lib/odp-util.c
@@ -3552,7 +3552,7 @@ scan_u128(const char *s_, ovs_u128 *value, ovs_u128 *mask)
                 error = parse_int_string(s, (uint8_t *)&be_mask,
                                          sizeof be_mask, &s);
                 if (error) {
-                    return error;
+                    return 0;
                 }
                 *mask = ntoh128(be_mask);
             } else {