[ovs-dev] [PATCH] ofp-actions: Properly check for action that exceeds buffer length.
Justin Pettit
jpettit at nicira.com
Thu Oct 23 21:05:04 UTC 2014
Acked-by: Justin Pettit <jpettit at nicira.com>
--Justin
> On Oct 20, 2014, at 2:45 PM, Ben Pfaff <blp at nicira.com> wrote:
>
> Commit c2d936a44fa (ofp-actions: Centralize all OpenFlow action code for
> maintainability.) rewrote OpenFlow action parsing but failed to check that
> actions don't overflow their buffers. This commit fixes the problem and
> adds negative tests so that this bug doesn't recur.
>
> Reported-by: Tomer Pearl <Tomer.Pearl at Contextream.com>
> Signed-off-by: Ben Pfaff <blp at nicira.com>
> ---
> lib/ofp-actions.c | 5 +++++
> tests/ofp-actions.at | 16 ++++++++++++++++
> 2 files changed, 21 insertions(+)
>
> diff --git a/lib/ofp-actions.c b/lib/ofp-actions.c
> index 7d9ee58..41c7622 100644
> --- a/lib/ofp-actions.c
> +++ b/lib/ofp-actions.c
> @@ -6406,6 +6406,11 @@ ofpact_pull_raw(struct ofpbuf *buf, enum ofp_version ofp_version,
> }
>
> length = ntohs(oah->len);
> + if (length > ofpbuf_size(buf)) {
> + VLOG_WARN_RL(&rl, "OpenFlow action %s length %u exceeds action buffer "
> + "length %"PRIu32, action->name, length, ofpbuf_size(buf));
> + return OFPERR_OFPBAC_BAD_LEN;
> + }
> if (length < action->min_length || length > action->max_length) {
> VLOG_WARN_RL(&rl, "OpenFlow action %s length %u not in valid range "
> "[%hu,%hu]", action->name, length,
> diff --git a/tests/ofp-actions.at b/tests/ofp-actions.at
> index 64b4bc2..311c3c5 100644
> --- a/tests/ofp-actions.at
> +++ b/tests/ofp-actions.at
> @@ -119,6 +119,22 @@ ffff 0020 00002320 0015 000500000000 80003039005A02fd 0400000000000000
> # actions=sample(probability=12345,collector_set_id=23456,obs_domain_id=34567,obs_point_id=45678)
> ffff 0018 00002320 001d 3039 00005BA0 00008707 0000B26E
>
> +# bad OpenFlow10 actions: OFPBAC_BAD_LEN
> +& ofp_actions|WARN|OpenFlow action OFPAT_OUTPUT length 240 exceeds action buffer length 8
> +& ofp_actions|WARN|bad action at offset 0 (OFPBAC_BAD_LEN):
> +& 00000000 00 00 00 f0 00 00 00 00-
> +00 00 00 f0 00 00 00 00
> +
> +# bad OpenFlow10 actions: OFPBAC_BAD_LEN
> +& ofp_actions|WARN|OpenFlow action OFPAT_OUTPUT length 16 exceeds action buffer length 8
> +& ofp_actions|WARN|bad action at offset 0 (OFPBAC_BAD_LEN):
> +& 00000000 00 00 00 10 ff fe ff ff-
> +00 00 00 10 ff fe ff ff
> +
> +# bad OpenFlow10 actions: OFPBAC_BAD_LEN
> +& ofp_actions|WARN|OpenFlow action OFPAT_OUTPUT length 9 exceeds action buffer length 8
> +00 00 00 09 ff fe ff ff
> +
> ])
> sed '/^[[#&]]/d' < test-data > input.txt
> sed -n 's/^# //p; /^$/p' < test-data > expout
> --
> 1.7.10.4
>
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev
More information about the dev
mailing list