Message ID | 20170526195906.23543-1-blp@ovn.org |
---|---|
State | Accepted |
Headers | show |
On Fri, May 26, 2017 at 12:59:06PM -0700, Ben Pfaff wrote: > This code blindly read forward for the number of bytes specified by the > message without checking that it was in range. > > This bug is part of OpenFlow 1.5 support. Open vSwitch does not enable > OpenFlow 1.5 support by default. > > Reported-by: Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de> > Signed-off-by: Ben Pfaff <blp@ovn.org> This patch needs a review.
Acked-by: Yi-Hung Wei <yihung.wei@gmail.com> On Thu, Jul 6, 2017 at 4:46 PM, Ben Pfaff <blp@ovn.org> wrote: > On Fri, May 26, 2017 at 12:59:06PM -0700, Ben Pfaff wrote: >> This code blindly read forward for the number of bytes specified by the >> message without checking that it was in range. >> >> This bug is part of OpenFlow 1.5 support. Open vSwitch does not enable >> OpenFlow 1.5 support by default. >> >> Reported-by: Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de> >> Signed-off-by: Ben Pfaff <blp@ovn.org> > > This patch needs a review. > _______________________________________________ > dev mailing list > dev@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Thanks! I applied this to master and backported as far as branch-2.4. On Fri, Jul 07, 2017 at 10:01:30AM -0700, Yi-Hung Wei wrote: > Acked-by: Yi-Hung Wei <yihung.wei@gmail.com> > > On Thu, Jul 6, 2017 at 4:46 PM, Ben Pfaff <blp@ovn.org> wrote: > > On Fri, May 26, 2017 at 12:59:06PM -0700, Ben Pfaff wrote: > >> This code blindly read forward for the number of bytes specified by the > >> message without checking that it was in range. > >> > >> This bug is part of OpenFlow 1.5 support. Open vSwitch does not enable > >> OpenFlow 1.5 support by default. > >> > >> Reported-by: Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de> > >> Signed-off-by: Ben Pfaff <blp@ovn.org> > > > > This patch needs a review. > > _______________________________________________ > > dev mailing list > > dev@openvswitch.org > > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
diff --git a/lib/ofp-util.c b/lib/ofp-util.c index f05ca398c13e..46bc628d4191 100644 --- a/lib/ofp-util.c +++ b/lib/ofp-util.c @@ -9581,6 +9581,9 @@ ofputil_pull_ofp15_group_mod(struct ofpbuf *msg, enum ofp_version ofp_version, } bucket_list_len = ntohs(ogm->bucket_array_len); + if (bucket_list_len > msg->size) { + return OFPERR_OFPBRC_BAD_LEN; + } error = ofputil_pull_ofp15_buckets(msg, bucket_list_len, ofp_version, gm->type, &gm->buckets); if (error) {
This code blindly read forward for the number of bytes specified by the message without checking that it was in range. This bug is part of OpenFlow 1.5 support. Open vSwitch does not enable OpenFlow 1.5 support by default. Reported-by: Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de> Signed-off-by: Ben Pfaff <blp@ovn.org> --- lib/ofp-util.c | 3 +++ 1 file changed, 3 insertions(+)