From patchwork Sat May 20 23:41:07 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ben Pfaff X-Patchwork-Id: 765006 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3wVhJj27Psz9s85 for ; Sun, 21 May 2017 09:41:25 +1000 (AEST) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id E02FF949; Sat, 20 May 2017 23:41:21 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 5B6178D9 for ; Sat, 20 May 2017 23:41:21 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from relay9-d.mail.gandi.net (relay9-d.mail.gandi.net [217.70.183.199]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id A5795F3 for ; Sat, 20 May 2017 23:41:20 +0000 (UTC) Received: from relay6-d.mail.gandi.net (relay6-d.mail.gandi.net [217.70.183.198]) by relay9-d.mail.gandi.net (Postfix) with ESMTPS id B90C440367; Sun, 21 May 2017 01:41:18 +0200 (CEST) Received: from mfilter15-d.gandi.net (mfilter15-d.gandi.net [217.70.178.143]) by relay6-d.mail.gandi.net (Postfix) with ESMTP id A1AC9FB87E; Sun, 21 May 2017 01:41:18 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at mfilter15-d.gandi.net Received: from relay6-d.mail.gandi.net ([IPv6:::ffff:217.70.183.198]) by mfilter15-d.gandi.net (mfilter15-d.gandi.net [::ffff:10.0.15.180]) (amavisd-new, port 10024) with ESMTP id fpa_v3s64zjl; Sun, 21 May 2017 01:41:17 +0200 (CEST) X-Originating-IP: 173.228.112.47 Received: from sigabrt.gateway.sonic.net (173-228-112-47.dsl.dynamic.fusionbroadband.com [173.228.112.47]) (Authenticated sender: blp@ovn.org) by relay6-d.mail.gandi.net (Postfix) with ESMTPSA id 0D41FFB87D; Sun, 21 May 2017 01:41:14 +0200 (CEST) From: Ben Pfaff To: dev@openvswitch.org Date: Sat, 20 May 2017 16:41:07 -0700 Message-Id: <20170520234107.2711-1-blp@ovn.org> X-Mailer: git-send-email 2.10.2 X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: Ben Pfaff , Bhargava Shastry Subject: [ovs-dev] [PATCH] ofp-util: Fix buffer overrread in ofputil_pull_queue_get_config_reply10(). X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org msg->size isn't the relevant measurement here because we're only supposed to read 'len' bytes. Reading more than that causes 'len' to underflow to a large number at the end of the loop. Reported-by: Bhargava Shastry Signed-off-by: Ben Pfaff Acked-by: Greg Rose --- lib/ofp-util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/ofp-util.c b/lib/ofp-util.c index bdf89b6c3017..f05ca398c13e 100644 --- a/lib/ofp-util.c +++ b/lib/ofp-util.c @@ -2610,7 +2610,7 @@ ofputil_pull_queue_get_config_reply10(struct ofpbuf *msg, hdr = ofpbuf_at_assert(msg, 0, sizeof *hdr); prop_len = ntohs(hdr->len); - if (prop_len < sizeof *hdr || prop_len > msg->size || prop_len % 8) { + if (prop_len < sizeof *hdr || prop_len > len || prop_len % 8) { return OFPERR_OFPBRC_BAD_LEN; }