From 050f90662dde1da1ee3cdd209a9b65196a808811 Mon Sep 17 00:00:00 2001
From: Ben Pfaff <blp@ovn.org>
Date: Fri, 26 May 2017 12:59:06 -0700
Subject: [PATCH] ofp-util: Check length of buckets in
 ofputil_pull_ofp15_group_mod().

This code blindly read forward for the number of bytes specified by the
message without checking that it was in range.

This bug is part of OpenFlow 1.5 support.  Open vSwitch does not enable
OpenFlow 1.5 support by default.

Reported-by: Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Yi-Hung Wei <yihung.wei@gmail.com>
---
 lib/ofp-util.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/ofp-util.c b/lib/ofp-util.c
index 92c17f4837..39ab8362d0 100644
--- a/lib/ofp-util.c
+++ b/lib/ofp-util.c
@@ -9418,6 +9418,9 @@ ofputil_pull_ofp15_group_mod(struct ofpbuf *msg, enum ofp_version ofp_version,
     }
 
     bucket_list_len = ntohs(ogm->bucket_array_len);
+    if (bucket_list_len > msg->size) {
+        return OFPERR_OFPBRC_BAD_LEN;
+    }
     error = ofputil_pull_ofp15_buckets(msg, bucket_list_len, ofp_version,
                                        gm->type, &gm->buckets);
     if (error) {