[{"id":1773877,"web_url":"http://patchwork.ozlabs.org/comment/1773877/","msgid":"","list_archive_url":null,"date":"2017-09-22T21:06:01","subject":"Re: [ovs-dev] [PATCH v4 1/3] ofp-util: Fix buffer overread in\n\tofputil_decode_bundle_add().","submitter":{"id":67602,"url":"http://patchwork.ozlabs.org/api/people/67602/","name":"Justin Pettit","email":"jpettit@ovn.org"},"content":"> On Sep 21, 2017, at 9:59 AM, Ben Pfaff wrote:\n> \n> A buffer overread of up to 4 bytes was possible given a malformed\n> message. The message was discarded following the overread.\n> \n> Found by libFuzzer.\n> \n> Reported-by: Bhargava Shastry \n> Signed-off-by: Ben Pfaff \n> ---\n> lib/ofp-util.c | 3 +++\n> 1 file changed, 3 insertions(+)\n> \n> diff --git a/lib/ofp-util.c b/lib/ofp-util.c\n> index 86dd5cb61653..e915cb2ab2d7 100644\n> --- a/lib/ofp-util.c\n> +++ b/lib/ofp-util.c\n> @@ -10517,6 +10517,9 @@ ofputil_decode_bundle_add(const struct ofp_header *oh,\n> msg->bundle_id = ntohl(m->bundle_id);\n> msg->flags = ntohs(m->flags);\n> \n> + if (b.size < sizeof(struct ofp_header)) {\n> + return OFPERR_OFPBFC_MSG_BAD_LEN;\n> + }\n\nDo you mind adding a brief comment indicating that this is checking the inner OpenFlow header? It will help people like me who miss that. :-)\n\nAcked-by: Justin Pettit \n\nThanks,\n\n--Justin","headers":{"Return-Path":"","X-Original-To":["incoming@patchwork.ozlabs.org","dev@openvswitch.org"],"Delivered-To":["patchwork-incoming@bilbo.ozlabs.org","ovs-dev@mail.linuxfoundation.org"],"Authentication-Results":"ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=openvswitch.org\n\t(client-ip=140.211.169.12; helo=mail.linuxfoundation.org;\n\tenvelope-from=ovs-dev-bounces@openvswitch.org;\n\treceiver=)","Received":["from mail.linuxfoundation.org (mail.linuxfoundation.org\n\t[140.211.169.12])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256\n\tbits)) (No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xzQxx56CJz9t3C\n\tfor ;\n\tSat, 23 Sep 2017 07:06:11 +1000 (AEST)","from mail.linux-foundation.org (localhost [127.0.0.1])\n\tby mail.linuxfoundation.org (Postfix) with ESMTP id 14BAEAAC;\n\tFri, 22 Sep 2017 21:06:08 +0000 (UTC)","from smtp1.linuxfoundation.org (smtp1.linux-foundation.org\n\t[172.17.192.35])\n\tby mail.linuxfoundation.org (Postfix) with ESMTPS id D0216AAC\n\tfor ; Fri, 22 Sep 2017 21:06:05 +0000 (UTC)","from mail-pf0-f196.google.com (mail-pf0-f196.google.com\n\t[209.85.192.196])\n\tby smtp1.linuxfoundation.org (Postfix) with ESMTPS id 27B293FD\n\tfor ; Fri, 22 Sep 2017 21:06:05 +0000 (UTC)","by mail-pf0-f196.google.com with SMTP id g65so927354pfe.1\n\tfor ; Fri, 22 Sep 2017 14:06:05 -0700 (PDT)","from [10.0.1.5] ([98.234.50.139]) by smtp.gmail.com with ESMTPSA id\n\tn2sm791216pgq.30.2017.09.22.14.06.02\n\t(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);\n\tFri, 22 Sep 2017 14:06:02 -0700 (PDT)"],"X-Greylist":"whitelisted by SQLgrey-1.7.6","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc\n\t:content-transfer-encoding:message-id:references:to;\n\tbh=ZnRwgMz5BUaiTMiXVG738n+MFdpKqDqZqx25se/7QxY=;\n\tb=Zg6/vR+6ln7xOY6sLuKswDRbe8ipQ9bOU38xriNyI5b7zgB9jyD4Cq1Qchxjo/mqvQ\n\tCQIODHV7QhUbIJzYLV48KbwYFJow16Q6iH/i1nPCQQuhO1NE/en5gduXKFT06WiEiXbR\n\tUOWr3+aUCeceQ2VCaQqfu5fDwR7ygsWz90/jSKlqSm5W144/F4VmSKPehVRA8XxWYDKY\n\tIG6S8g1Tu6eKHzL5Y45XSfgDOuRh2paKaE0TutJBolVND1SxeF1mcUKw3po7vB8rOro1\n\tUAGzJqN4BVvbzM/I7z+41IVryLrhaGW54iveP5UeB/Yscwy4n8X8vK/RAf3xrwvlM2Wm\n\t663A==","X-Gm-Message-State":"AHPjjUj2sCeJZeiYAUJDa9CKpEugPcBAlJ5oTGCgAWm6iv5T9cFYhf9p\n\tnXD+0iMAKi7Wk0Uiw9xMVvVbSDUS","X-Google-Smtp-Source":"AOwi7QB4UGo9y4RMaDWUpJzmlB3ID143HHjvgLxAErGPyyFp359BPdhmpxhpWZZrvqGcxGwBtkSf7w==","X-Received":"by 10.98.189.26 with SMTP id a26mr371558pff.260.1506114364716;\n\tFri, 22 Sep 2017 14:06:04 -0700 (PDT)","Mime-Version":"1.0 (Mac OS X Mail 10.3 \\(3273\\))","From":"Justin Pettit ","In-Reply-To":"<20170921165958.3218-2-blp@ovn.org>","Date":"Fri, 22 Sep 2017 14:06:01 -0700","Message-Id":"","References":"<20170921165958.3218-1-blp@ovn.org>\n\t<20170921165958.3218-2-blp@ovn.org>","To":"Ben Pfaff ","X-Mailer":"Apple Mail (2.3273)","X-Spam-Status":"No, score=0.5 required=5.0 tests=FREEMAIL_FROM,\n\tRCVD_IN_DNSWL_NONE,\n\tRCVD_IN_SORBS_SPAM autolearn=disabled version=3.3.1","X-Spam-Checker-Version":"SpamAssassin 3.3.1 (2010-03-16) on\n\tsmtp1.linux-foundation.org","Cc":"dev@openvswitch.org, Bhargava Shastry ","Subject":"Re: [ovs-dev] [PATCH v4 1/3] ofp-util: Fix buffer overread in\n\tofputil_decode_bundle_add().","X-BeenThere":"ovs-dev@openvswitch.org","X-Mailman-Version":"2.1.12","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Sender":"ovs-dev-bounces@openvswitch.org","Errors-To":"ovs-dev-bounces@openvswitch.org"}},{"id":1773908,"web_url":"http://patchwork.ozlabs.org/comment/1773908/","msgid":"<20170922215528.GE15629@ovn.org>","list_archive_url":null,"date":"2017-09-22T21:55:28","subject":"Re: [ovs-dev] [PATCH v4 1/3] ofp-util: Fix buffer overread in\n\tofputil_decode_bundle_add().","submitter":{"id":67603,"url":"http://patchwork.ozlabs.org/api/people/67603/","name":"Ben Pfaff","email":"blp@ovn.org"},"content":"On Fri, Sep 22, 2017 at 02:06:01PM -0700, Justin Pettit wrote:\n> \n> > On Sep 21, 2017, at 9:59 AM, Ben Pfaff wrote:\n> > \n> > A buffer overread of up to 4 bytes was possible given a malformed\n> > message. The message was discarded following the overread.\n> > \n> > Found by libFuzzer.\n> > \n> > Reported-by: Bhargava Shastry \n> > Signed-off-by: Ben Pfaff \n> > ---\n> > lib/ofp-util.c | 3 +++\n> > 1 file changed, 3 insertions(+)\n> > \n> > diff --git a/lib/ofp-util.c b/lib/ofp-util.c\n> > index 86dd5cb61653..e915cb2ab2d7 100644\n> > --- a/lib/ofp-util.c\n> > +++ b/lib/ofp-util.c\n> > @@ -10517,6 +10517,9 @@ ofputil_decode_bundle_add(const struct ofp_header *oh,\n> > msg->bundle_id = ntohl(m->bundle_id);\n> > msg->flags = ntohs(m->flags);\n> > \n> > + if (b.size < sizeof(struct ofp_header)) {\n> > + return OFPERR_OFPBFC_MSG_BAD_LEN;\n> > + }\n> \n> Do you mind adding a brief comment indicating that this is checking the inner OpenFlow header? It will help people like me who miss that. :-)\n> \n> Acked-by: Justin Pettit \n\nSure, I added some comments and applied this to master and then\nbackported as far as 2.6.","headers":{"Return-Path":"","X-Original-To":["incoming@patchwork.ozlabs.org","dev@openvswitch.org"],"Delivered-To":["patchwork-incoming@bilbo.ozlabs.org","ovs-dev@mail.linuxfoundation.org"],"Authentication-Results":"ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=openvswitch.org\n\t(client-ip=140.211.169.12; helo=mail.linuxfoundation.org;\n\tenvelope-from=ovs-dev-bounces@openvswitch.org;\n\treceiver=)","Received":["from mail.linuxfoundation.org (mail.linuxfoundation.org\n\t[140.211.169.12])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256\n\tbits)) (No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xzS302H1sz9t16\n\tfor ;\n\tSat, 23 Sep 2017 07:55:39 +1000 (AEST)","from mail.linux-foundation.org (localhost [127.0.0.1])\n\tby mail.linuxfoundation.org (Postfix) with ESMTP id B9D73B8E;\n\tFri, 22 Sep 2017 21:55:37 +0000 (UTC)","from smtp1.linuxfoundation.org (smtp1.linux-foundation.org\n\t[172.17.192.35])\n\tby mail.linuxfoundation.org (Postfix) with ESMTPS id 631AC87A\n\tfor ; Fri, 22 Sep 2017 21:55:36 +0000 (UTC)","from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net\n\t[217.70.183.197])\n\tby smtp1.linuxfoundation.org (Postfix) with ESMTPS id DCD65443\n\tfor ; Fri, 22 Sep 2017 21:55:35 +0000 (UTC)","from ovn.org (unknown [208.91.2.3])\n\t(Authenticated sender: blp@ovn.org)\n\tby relay5-d.mail.gandi.net (Postfix) with ESMTPSA id DD0BB41C07C;\n\tFri, 22 Sep 2017 23:55:31 +0200 (CEST)"],"X-Greylist":"domain auto-whitelisted by SQLgrey-1.7.6","X-Originating-IP":"208.91.2.3","Date":"Fri, 22 Sep 2017 14:55:28 -0700","From":"Ben Pfaff ","To":"Justin Pettit ","Message-ID":"<20170922215528.GE15629@ovn.org>","References":"<20170921165958.3218-1-blp@ovn.org>\n\t<20170921165958.3218-2-blp@ovn.org>\n\t","MIME-Version":"1.0","Content-Disposition":"inline","In-Reply-To":"","User-Agent":"Mutt/1.5.23 (2014-03-12)","X-Spam-Status":"No, score=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW\n\tautolearn=disabled version=3.3.1","X-Spam-Checker-Version":"SpamAssassin 3.3.1 (2010-03-16) on\n\tsmtp1.linux-foundation.org","Cc":"dev@openvswitch.org, Bhargava Shastry ","Subject":"Re: [ovs-dev] [PATCH v4 1/3] ofp-util: Fix buffer overread in\n\tofputil_decode_bundle_add().","X-BeenThere":"ovs-dev@openvswitch.org","X-Mailman-Version":"2.1.12","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Sender":"ovs-dev-bounces@openvswitch.org","Errors-To":"ovs-dev-bounces@openvswitch.org"}}]