Message ID | 20170920194818.26403-2-blp@ovn.org |
---|---|
State | Superseded |
Headers | show |
Series | Fix memory leaks and overreads in ofp-util | expand |
diff --git a/lib/ofp-util.c b/lib/ofp-util.c index 86dd5cb61653..e915cb2ab2d7 100644 --- a/lib/ofp-util.c +++ b/lib/ofp-util.c @@ -10517,6 +10517,9 @@ ofputil_decode_bundle_add(const struct ofp_header *oh, msg->bundle_id = ntohl(m->bundle_id); msg->flags = ntohs(m->flags); + if (b.size < sizeof(struct ofp_header)) { + return OFPERR_OFPBFC_MSG_BAD_LEN; + } msg->msg = b.data; if (msg->msg->version != oh->version) { return OFPERR_OFPBFC_BAD_VERSION;
A buffer overread of up to 4 bytes was possible given a malformed message. The message was discarded following the overread. Found by libFuzzer. Reported-by: Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de> Signed-off-by: Ben Pfaff <blp@ovn.org> --- lib/ofp-util.c | 3 +++ 1 file changed, 3 insertions(+)