[ovs-dev] [PATCH v4 1/3] ofp-util: Fix buffer overread in ofputil_decode_bundle_add().
Ben Pfaff
blp at ovn.org
Thu Sep 21 16:59:56 UTC 2017
A buffer overread of up to 4 bytes was possible given a malformed
message. The message was discarded following the overread.
Found by libFuzzer.
Reported-by: Bhargava Shastry <bshastry at sec.t-labs.tu-berlin.de>
Signed-off-by: Ben Pfaff <blp at ovn.org>
---
lib/ofp-util.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lib/ofp-util.c b/lib/ofp-util.c
index 86dd5cb61653..e915cb2ab2d7 100644
--- a/lib/ofp-util.c
+++ b/lib/ofp-util.c
@@ -10517,6 +10517,9 @@ ofputil_decode_bundle_add(const struct ofp_header *oh,
msg->bundle_id = ntohl(m->bundle_id);
msg->flags = ntohs(m->flags);
+ if (b.size < sizeof(struct ofp_header)) {
+ return OFPERR_OFPBFC_MSG_BAD_LEN;
+ }
msg->msg = b.data;
if (msg->msg->version != oh->version) {
return OFPERR_OFPBFC_BAD_VERSION;
--
2.10.2
More information about the dev
mailing list