[ovs-dev] [PATCH v4 1/3] ofp-util: Fix buffer overread in ofputil_decode_bundle_add().

Justin Pettit jpettit at ovn.org
Fri Sep 22 21:06:01 UTC 2017


> On Sep 21, 2017, at 9:59 AM, Ben Pfaff <blp at ovn.org> wrote:
> 
> A buffer overread of up to 4 bytes was possible given a malformed
> message.  The message was discarded following the overread.
> 
> Found by libFuzzer.
> 
> Reported-by: Bhargava Shastry <bshastry at sec.t-labs.tu-berlin.de>
> Signed-off-by: Ben Pfaff <blp at ovn.org>
> ---
> lib/ofp-util.c | 3 +++
> 1 file changed, 3 insertions(+)
> 
> diff --git a/lib/ofp-util.c b/lib/ofp-util.c
> index 86dd5cb61653..e915cb2ab2d7 100644
> --- a/lib/ofp-util.c
> +++ b/lib/ofp-util.c
> @@ -10517,6 +10517,9 @@ ofputil_decode_bundle_add(const struct ofp_header *oh,
>     msg->bundle_id = ntohl(m->bundle_id);
>     msg->flags = ntohs(m->flags);
> 
> +    if (b.size < sizeof(struct ofp_header)) {
> +        return OFPERR_OFPBFC_MSG_BAD_LEN;
> +    }

Do you mind adding a brief comment indicating that this is checking the inner OpenFlow header?  It will help people like me who miss that.  :-)

Acked-by: Justin Pettit <jpettit at ovn.org>

Thanks,

--Justin




More information about the dev mailing list