ovs-router: Fix potential integer overflow.

chumakd · igsilya · commit e03eac274d82 · 2026-01-16T18:25:43.000+01:00
There was a theoretical (but unlikely to happen in practice) integer overflow in ovs_router_rule_add_cmd() in the case when rule list comprised only of rules with priority zero, the new rule priority would be calculated as UINT_MAX. Coverity issue: CID 556927: Integer handling issues (INTEGER_OVERFLOW) Expression "rule->prio - 1U", where "rule->prio" is known to be equal to 0, under-flows the type of "rule->prio - 1U", which is type "unsigned int". Fixes: e2a2415 ("ovs-router: Introduce ovs/route/rule/{add, del} commands.") Signed-off-by: Dima Chumak <dchumak@nvidia.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
diff --git a/lib/ovs-router.c b/lib/ovs-router.c
@@ -1030,8 +1030,7 @@ ovs_router_rule_add_cmd(struct unixctl_conn *conn, int argc OVS_UNUSED,
         uint32_t prev_prio = 0;
 
         PVECTOR_FOR_EACH (rule, &rules) {
-            if ((!prio && rule->prio) ||
-                (rule->prio - prev_prio > 1)) {
+            if (rule->prio && (!prio || (rule->prio - prev_prio > 1))) {
                 prio = rule->prio - 1;
             }
             prev_prio = rule->prio;

Original file line number	Diff line number	Diff line change
`@@ -1030,8 +1030,7 @@ ovs_router_rule_add_cmd(struct unixctl_conn *conn, int argc OVS_UNUSED,`
`1030`	`1030`	`uint32_t prev_prio = 0;`
`1031`	`1031`
`1032`	`1032`	`PVECTOR_FOR_EACH (rule, &rules) {`
`1033`		`- if ((!prio && rule->prio) \|\|`
`1034`		`- (rule->prio - prev_prio > 1)) {`
	`1033`	`+ if (rule->prio && (!prio \|\| (rule->prio - prev_prio > 1))) {`
`1035`	`1034`	`prio = rule->prio - 1;`
`1036`	`1035`	`}`
`1037`	`1036`	`prev_prio = rule->prio;`