@@ -9174,6 +9174,7 @@ ofputil_pull_ofp11_buckets(struct ofpbuf *msg, size_t buckets_length,
if (!ob) {
VLOG_WARN_RL(&bad_ofmsg_rl, "buckets end with %"PRIuSIZE" leftover bytes",
buckets_length);
+ ofputil_bucket_list_destroy(buckets);
return OFPERR_OFPGMFC_BAD_BUCKET;
}
@@ -9181,11 +9182,13 @@ ofputil_pull_ofp11_buckets(struct ofpbuf *msg, size_t buckets_length,
if (ob_len < sizeof *ob) {
VLOG_WARN_RL(&bad_ofmsg_rl, "OpenFlow message bucket length "
"%"PRIuSIZE" is not valid", ob_len);
+ ofputil_bucket_list_destroy(buckets);
return OFPERR_OFPGMFC_BAD_BUCKET;
} else if (ob_len > buckets_length) {
VLOG_WARN_RL(&bad_ofmsg_rl, "OpenFlow message bucket length "
"%"PRIuSIZE" exceeds remaining buckets data size %"PRIuSIZE,
ob_len, buckets_length);
+ ofputil_bucket_list_destroy(buckets);
return OFPERR_OFPGMFC_BAD_BUCKET;
}
buckets_length -= ob_len;
@@ -9817,6 +9820,7 @@ ofputil_pull_ofp11_group_mod(struct ofpbuf *msg, enum ofp_version ofp_version,
&& gm->command == OFPGC11_DELETE
&& !ovs_list_is_empty(&gm->buckets)) {
error = OFPERR_OFPGMFC_INVALID_GROUP;
+ ofputil_bucket_list_destroy(&gm->buckets);
}
return error;
@@ -9881,41 +9885,9 @@ ofputil_pull_ofp15_group_mod(struct ofpbuf *msg, enum ofp_version ofp_version,
msg->size);
}
-/* Converts OpenFlow group mod message 'oh' into an abstract group mod in
- * 'gm'. Returns 0 if successful, otherwise an OpenFlow error code. */
-enum ofperr
-ofputil_decode_group_mod(const struct ofp_header *oh,
- struct ofputil_group_mod *gm)
+static enum ofperr
+ofputil_check_group_mod(const struct ofputil_group_mod *gm)
{
- ofputil_init_group_properties(&gm->props);
-
- enum ofp_version ofp_version = oh->version;
- struct ofpbuf msg = ofpbuf_const_initializer(oh, ntohs(oh->length));
- ofpraw_pull_assert(&msg);
-
- enum ofperr err;
- switch (ofp_version)
- {
- case OFP11_VERSION:
- case OFP12_VERSION:
- case OFP13_VERSION:
- case OFP14_VERSION:
- err = ofputil_pull_ofp11_group_mod(&msg, ofp_version, gm);
- break;
-
- case OFP15_VERSION:
- case OFP16_VERSION:
- err = ofputil_pull_ofp15_group_mod(&msg, ofp_version, gm);
- break;
-
- case OFP10_VERSION:
- default:
- OVS_NOT_REACHED();
- }
- if (err) {
- return err;
- }
-
switch (gm->type) {
case OFPGT11_INDIRECT:
if (gm->command != OFPGC11_DELETE
@@ -9977,6 +9949,48 @@ ofputil_decode_group_mod(const struct ofp_header *oh,
return 0;
}
+/* Converts OpenFlow group mod message 'oh' into an abstract group mod in
+ * 'gm'. Returns 0 if successful, otherwise an OpenFlow error code. */
+enum ofperr
+ofputil_decode_group_mod(const struct ofp_header *oh,
+ struct ofputil_group_mod *gm)
+{
+ ofputil_init_group_properties(&gm->props);
+
+ enum ofp_version ofp_version = oh->version;
+ struct ofpbuf msg = ofpbuf_const_initializer(oh, ntohs(oh->length));
+ ofpraw_pull_assert(&msg);
+
+ enum ofperr err;
+ switch (ofp_version)
+ {
+ case OFP11_VERSION:
+ case OFP12_VERSION:
+ case OFP13_VERSION:
+ case OFP14_VERSION:
+ err = ofputil_pull_ofp11_group_mod(&msg, ofp_version, gm);
+ break;
+
+ case OFP15_VERSION:
+ case OFP16_VERSION:
+ err = ofputil_pull_ofp15_group_mod(&msg, ofp_version, gm);
+ break;
+
+ case OFP10_VERSION:
+ default:
+ OVS_NOT_REACHED();
+ }
+ if (err) {
+ return err;
+ }
+
+ err = ofputil_check_group_mod(gm);
+ if (err) {
+ ofputil_uninit_group_mod(gm);
+ }
+ return err;
+}
+
/* Destroys 'bms'. */
void
ofputil_free_bundle_msgs(struct ofputil_bundle_msg *bms, size_t n_bms)
Found by libFuzzer. Reported-by: Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de> Signed-off-by: Ben Pfaff <blp@ovn.org> --- lib/ofp-util.c | 82 ++++++++++++++++++++++++++++++++++------------------------ 1 file changed, 48 insertions(+), 34 deletions(-)