On Thu, Jun 19, 2014 at 4:30 PM, Pravin Shelar <pshe...@nicira.com> wrote:
> On Thu, Jun 19, 2014 at 4:07 PM, Jesse Gross <je...@nicira.com> wrote:
>> On Thu, Jun 19, 2014 at 1:33 PM, Pravin Shelar <pshe...@nicira.com> wrote:
>>>> diff --git a/datapath/flow.c b/datapath/flow.c
>>>> index f1bb95d..7b108ed 100644
>>>> --- a/datapath/flow.c
>>>> +++ b/datapath/flow.c
>>>> @@ -455,6 +455,13 @@ int ovs_flow_extract(struct sk_buff *skb, u16
>>>> in_port, struct sw_flow_key *key)
>>>> struct ovs_tunnel_info *tun_info = OVS_CB(skb)->tun_info;
>>>> memcpy(&key->tun_key, &tun_info->tunnel,
>>>> sizeof(key->tun_key));
>>>> + if (tun_info->options) {
>>>> + memcpy(GENEVE_OPTS(key, tun_info->options_len),
>>>> + tun_info->options, tun_info->options_len);
>>> Need to check options_len before copying data from packet.
>>
>> I think we should be OK here since we already checked it in
>> geneve_rcv() when we populated tun_info. Is there anything else that
>> we need to check?
>>
> I am not sure where is opts_len checked if it is less than key->tun_opts[]
> size.
Oh, I see you meant the destination instead of the source.
It's implicitly limited by the fact that the length is a u8 and the
array size is 255. We could add a length check in anyways as a sanity
check or maybe do a build assert.
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
