[ovs-dev] [PATCH] ofp-util: Check length of buckets in ofputil_pull_ofp15_group_mod().
Ben Pfaff
blp at ovn.org
Fri May 26 19:59:06 UTC 2017
This code blindly read forward for the number of bytes specified by the
message without checking that it was in range.
This bug is part of OpenFlow 1.5 support. Open vSwitch does not enable
OpenFlow 1.5 support by default.
Reported-by: Bhargava Shastry <bshastry at sec.t-labs.tu-berlin.de>
Signed-off-by: Ben Pfaff <blp at ovn.org>
---
lib/ofp-util.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lib/ofp-util.c b/lib/ofp-util.c
index f05ca398c13e..46bc628d4191 100644
--- a/lib/ofp-util.c
+++ b/lib/ofp-util.c
@@ -9581,6 +9581,9 @@ ofputil_pull_ofp15_group_mod(struct ofpbuf *msg, enum ofp_version ofp_version,
}
bucket_list_len = ntohs(ogm->bucket_array_len);
+ if (bucket_list_len > msg->size) {
+ return OFPERR_OFPBRC_BAD_LEN;
+ }
error = ofputil_pull_ofp15_buckets(msg, bucket_list_len, ofp_version,
gm->type, &gm->buckets);
if (error) {
--
2.10.2
More information about the dev
mailing list