From 5308056f53406e75d211f73a2847f9ebdf9c91c8 Mon Sep 17 00:00:00 2001
From: Joe Stringer <joe@ovn.org>
Date: Thu, 3 Mar 2016 21:22:50 +1300
Subject: [PATCH] ofp-actions: Prevent integer overflow in decode.

When decoding a variable-length action, if the length of the action
exceeds the length storable in a uint16_t then something has gone
terribly wrong. Assert that this is not the case.

Signed-off-by: Joe Stringer <joe@ovn.org>
Acked-by: Jarno Rajahalme <jarno@ovn.org>
---
 lib/ofp-actions.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/lib/ofp-actions.c b/lib/ofp-actions.c
index fe1424f13..905469b6b 100644
--- a/lib/ofp-actions.c
+++ b/lib/ofp-actions.c
@@ -7401,8 +7401,12 @@ ofpact_init(struct ofpact *ofpact, enum ofpact_type type, size_t len)
 void
 ofpact_finish(struct ofpbuf *ofpacts, struct ofpact *ofpact)
 {
+    ptrdiff_t len;
+
     ovs_assert(ofpact == ofpacts->header);
-    ofpact->len = (char *) ofpbuf_tail(ofpacts) - (char *) ofpact;
+    len = (char *) ofpbuf_tail(ofpacts) - (char *) ofpact;
+    ovs_assert(len <= UINT16_MAX);
+    ofpact->len = len;
     ofpbuf_padto(ofpacts, OFPACT_ALIGN(ofpacts->size));
 }
 
-- 
2.20.1