From patchwork Thu Sep 21 16:59:56 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ben Pfaff X-Patchwork-Id: 817059 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3xyjfz6S3wz9t49 for ; Fri, 22 Sep 2017 03:05:47 +1000 (AEST) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 8D7A8B7B; Thu, 21 Sep 2017 17:05:14 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id DED66B1D for ; Thu, 21 Sep 2017 17:05:13 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from relay6-d.mail.gandi.net (relay6-d.mail.gandi.net [217.70.183.198]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 2B673204 for ; Thu, 21 Sep 2017 17:05:13 +0000 (UTC) X-Originating-IP: 173.228.112.34 Received: from sigabrt.gateway.sonic.net (173-228-112-34.dsl.dynamic.fusionbroadband.com [173.228.112.34]) (Authenticated sender: blp@ovn.org) by relay6-d.mail.gandi.net (Postfix) with ESMTPSA id 2D787FB8A3; Thu, 21 Sep 2017 19:05:08 +0200 (CEST) From: Ben Pfaff To: dev@openvswitch.org Date: Thu, 21 Sep 2017 09:59:56 -0700 Message-Id: <20170921165958.3218-2-blp@ovn.org> X-Mailer: git-send-email 2.10.2 In-Reply-To: <20170921165958.3218-1-blp@ovn.org> References: <20170921165958.3218-1-blp@ovn.org> X-Spam-Status: No, score=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW autolearn=disabled version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: Ben Pfaff , Bhargava Shastry Subject: [ovs-dev] [PATCH v4 1/3] ofp-util: Fix buffer overread in ofputil_decode_bundle_add(). X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org A buffer overread of up to 4 bytes was possible given a malformed message. The message was discarded following the overread. Found by libFuzzer. Reported-by: Bhargava Shastry Signed-off-by: Ben Pfaff Acked-by: Justin Pettit --- lib/ofp-util.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/ofp-util.c b/lib/ofp-util.c index 86dd5cb61653..e915cb2ab2d7 100644 --- a/lib/ofp-util.c +++ b/lib/ofp-util.c @@ -10517,6 +10517,9 @@ ofputil_decode_bundle_add(const struct ofp_header *oh, msg->bundle_id = ntohl(m->bundle_id); msg->flags = ntohs(m->flags); + if (b.size < sizeof(struct ofp_header)) { + return OFPERR_OFPBFC_MSG_BAD_LEN; + } msg->msg = b.data; if (msg->msg->version != oh->version) { return OFPERR_OFPBFC_BAD_VERSION; From patchwork Thu Sep 21 16:59:57 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ben Pfaff X-Patchwork-Id: 817062 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3xyjgn1NPgz9t4r for ; Fri, 22 Sep 2017 03:06:29 +1000 (AEST) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 970A1BD0; Thu, 21 Sep 2017 17:05:18 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id BF416B76 for ; Thu, 21 Sep 2017 17:05:17 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from relay6-d.mail.gandi.net (relay6-d.mail.gandi.net [217.70.183.198]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 49FEC41D for ; Thu, 21 Sep 2017 17:05:17 +0000 (UTC) X-Originating-IP: 173.228.112.34 Received: from sigabrt.gateway.sonic.net (173-228-112-34.dsl.dynamic.fusionbroadband.com [173.228.112.34]) (Authenticated sender: blp@ovn.org) by relay6-d.mail.gandi.net (Postfix) with ESMTPSA id CFDF7FB881; Thu, 21 Sep 2017 19:05:12 +0200 (CEST) From: Ben Pfaff To: dev@openvswitch.org Date: Thu, 21 Sep 2017 09:59:57 -0700 Message-Id: <20170921165958.3218-3-blp@ovn.org> X-Mailer: git-send-email 2.10.2 In-Reply-To: <20170921165958.3218-1-blp@ovn.org> References: <20170921165958.3218-1-blp@ovn.org> X-Spam-Status: No, score=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW autolearn=disabled version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: Ben Pfaff , Bhargava Shastry Subject: [ovs-dev] [PATCH v4 2/3] ofp-util: Fix memory leaks on error cases in ofputil_decode_group_mod(). X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org Found by libFuzzer. Reported-by: Bhargava Shastry Signed-off-by: Ben Pfaff Acked-by: Justin Pettit --- lib/ofp-util.c | 82 ++++++++++++++++++++++++++++++++++------------------------ 1 file changed, 48 insertions(+), 34 deletions(-) diff --git a/lib/ofp-util.c b/lib/ofp-util.c index e915cb2ab2d7..2309a2ad2515 100644 --- a/lib/ofp-util.c +++ b/lib/ofp-util.c @@ -9174,6 +9174,7 @@ ofputil_pull_ofp11_buckets(struct ofpbuf *msg, size_t buckets_length, if (!ob) { VLOG_WARN_RL(&bad_ofmsg_rl, "buckets end with %"PRIuSIZE" leftover bytes", buckets_length); + ofputil_bucket_list_destroy(buckets); return OFPERR_OFPGMFC_BAD_BUCKET; } @@ -9181,11 +9182,13 @@ ofputil_pull_ofp11_buckets(struct ofpbuf *msg, size_t buckets_length, if (ob_len < sizeof *ob) { VLOG_WARN_RL(&bad_ofmsg_rl, "OpenFlow message bucket length " "%"PRIuSIZE" is not valid", ob_len); + ofputil_bucket_list_destroy(buckets); return OFPERR_OFPGMFC_BAD_BUCKET; } else if (ob_len > buckets_length) { VLOG_WARN_RL(&bad_ofmsg_rl, "OpenFlow message bucket length " "%"PRIuSIZE" exceeds remaining buckets data size %"PRIuSIZE, ob_len, buckets_length); + ofputil_bucket_list_destroy(buckets); return OFPERR_OFPGMFC_BAD_BUCKET; } buckets_length -= ob_len; @@ -9817,6 +9820,7 @@ ofputil_pull_ofp11_group_mod(struct ofpbuf *msg, enum ofp_version ofp_version, && gm->command == OFPGC11_DELETE && !ovs_list_is_empty(&gm->buckets)) { error = OFPERR_OFPGMFC_INVALID_GROUP; + ofputil_bucket_list_destroy(&gm->buckets); } return error; @@ -9881,41 +9885,9 @@ ofputil_pull_ofp15_group_mod(struct ofpbuf *msg, enum ofp_version ofp_version, msg->size); } -/* Converts OpenFlow group mod message 'oh' into an abstract group mod in - * 'gm'. Returns 0 if successful, otherwise an OpenFlow error code. */ -enum ofperr -ofputil_decode_group_mod(const struct ofp_header *oh, - struct ofputil_group_mod *gm) +static enum ofperr +ofputil_check_group_mod(const struct ofputil_group_mod *gm) { - ofputil_init_group_properties(&gm->props); - - enum ofp_version ofp_version = oh->version; - struct ofpbuf msg = ofpbuf_const_initializer(oh, ntohs(oh->length)); - ofpraw_pull_assert(&msg); - - enum ofperr err; - switch (ofp_version) - { - case OFP11_VERSION: - case OFP12_VERSION: - case OFP13_VERSION: - case OFP14_VERSION: - err = ofputil_pull_ofp11_group_mod(&msg, ofp_version, gm); - break; - - case OFP15_VERSION: - case OFP16_VERSION: - err = ofputil_pull_ofp15_group_mod(&msg, ofp_version, gm); - break; - - case OFP10_VERSION: - default: - OVS_NOT_REACHED(); - } - if (err) { - return err; - } - switch (gm->type) { case OFPGT11_INDIRECT: if (gm->command != OFPGC11_DELETE @@ -9977,6 +9949,48 @@ ofputil_decode_group_mod(const struct ofp_header *oh, return 0; } +/* Converts OpenFlow group mod message 'oh' into an abstract group mod in + * 'gm'. Returns 0 if successful, otherwise an OpenFlow error code. */ +enum ofperr +ofputil_decode_group_mod(const struct ofp_header *oh, + struct ofputil_group_mod *gm) +{ + ofputil_init_group_properties(&gm->props); + + enum ofp_version ofp_version = oh->version; + struct ofpbuf msg = ofpbuf_const_initializer(oh, ntohs(oh->length)); + ofpraw_pull_assert(&msg); + + enum ofperr err; + switch (ofp_version) + { + case OFP11_VERSION: + case OFP12_VERSION: + case OFP13_VERSION: + case OFP14_VERSION: + err = ofputil_pull_ofp11_group_mod(&msg, ofp_version, gm); + break; + + case OFP15_VERSION: + case OFP16_VERSION: + err = ofputil_pull_ofp15_group_mod(&msg, ofp_version, gm); + break; + + case OFP10_VERSION: + default: + OVS_NOT_REACHED(); + } + if (err) { + return err; + } + + err = ofputil_check_group_mod(gm); + if (err) { + ofputil_uninit_group_mod(gm); + } + return err; +} + /* Destroys 'bms'. */ void ofputil_free_bundle_msgs(struct ofputil_bundle_msg *bms, size_t n_bms) From patchwork Thu Sep 21 16:59:58 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ben Pfaff X-Patchwork-Id: 817065 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3xyjhg5Zxxz9t4c for ; Fri, 22 Sep 2017 03:07:15 +1000 (AEST) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id D08BFBEA; Thu, 21 Sep 2017 17:05:20 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 1B317B7A for ; Thu, 21 Sep 2017 17:05:20 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from relay6-d.mail.gandi.net (relay6-d.mail.gandi.net [217.70.183.198]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id C3ED2204 for ; Thu, 21 Sep 2017 17:05:19 +0000 (UTC) X-Originating-IP: 173.228.112.34 Received: from sigabrt.gateway.sonic.net (173-228-112-34.dsl.dynamic.fusionbroadband.com [173.228.112.34]) (Authenticated sender: blp@ovn.org) by relay6-d.mail.gandi.net (Postfix) with ESMTPSA id 9A47BFB8AC; Thu, 21 Sep 2017 19:05:16 +0200 (CEST) From: Ben Pfaff To: dev@openvswitch.org Date: Thu, 21 Sep 2017 09:59:58 -0700 Message-Id: <20170921165958.3218-4-blp@ovn.org> X-Mailer: git-send-email 2.10.2 In-Reply-To: <20170921165958.3218-1-blp@ovn.org> References: <20170921165958.3218-1-blp@ovn.org> X-Spam-Status: No, score=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW autolearn=disabled version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: Ben Pfaff , Bhargava Shastry Subject: [ovs-dev] [PATCH v4 3/3] ofp-util: Fix memory leaks when parsing OF1.5 group properties. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org Found by libFuzzer. Reported-by: Bhargava Shastry Signed-off-by: Ben Pfaff Acked-by: Justin Pettit --- lib/ofp-util.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/lib/ofp-util.c b/lib/ofp-util.c index 2309a2ad2515..16c4f191a340 100644 --- a/lib/ofp-util.c +++ b/lib/ofp-util.c @@ -9581,8 +9581,13 @@ ofputil_decode_ofp15_group_desc_reply(struct ofputil_group_desc *gd, * Such properties are valid for group desc replies so * claim that the group mod command is OFPGC15_ADD to * satisfy the check in parse_group_prop_ntr_selection_method() */ - return parse_ofp15_group_properties(msg, gd->type, OFPGC15_ADD, &gd->props, - length - sizeof *ogds - bucket_list_len); + error = parse_ofp15_group_properties( + msg, gd->type, OFPGC15_ADD, &gd->props, + length - sizeof *ogds - bucket_list_len); + if (error) { + ofputil_bucket_list_destroy(&gd->buckets); + } + return error; } /* Converts a group description reply in 'msg' into an abstract @@ -9881,8 +9886,12 @@ ofputil_pull_ofp15_group_mod(struct ofpbuf *msg, enum ofp_version ofp_version, return error; } - return parse_ofp15_group_properties(msg, gm->type, gm->command, &gm->props, - msg->size); + error = parse_ofp15_group_properties(msg, gm->type, gm->command, + &gm->props, msg->size); + if (error) { + ofputil_bucket_list_destroy(&gm->buckets); + } + return error; } static enum ofperr