You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
34 lines
1.2 KiB
34 lines
1.2 KiB
From 050f90662dde1da1ee3cdd209a9b65196a808811 Mon Sep 17 00:00:00 2001
|
|
From: Ben Pfaff <blp@ovn.org>
|
|
Date: Fri, 26 May 2017 12:59:06 -0700
|
|
Subject: [PATCH] ofp-util: Check length of buckets in
|
|
ofputil_pull_ofp15_group_mod().
|
|
|
|
This code blindly read forward for the number of bytes specified by the
|
|
message without checking that it was in range.
|
|
|
|
This bug is part of OpenFlow 1.5 support. Open vSwitch does not enable
|
|
OpenFlow 1.5 support by default.
|
|
|
|
Reported-by: Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de>
|
|
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
Acked-by: Yi-Hung Wei <yihung.wei@gmail.com>
|
|
---
|
|
lib/ofp-util.c | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
diff --git a/lib/ofp-util.c b/lib/ofp-util.c
|
|
index 92c17f4837..39ab8362d0 100644
|
|
--- a/lib/ofp-util.c
|
|
+++ b/lib/ofp-util.c
|
|
@@ -9418,6 +9418,9 @@ ofputil_pull_ofp15_group_mod(struct ofpbuf *msg, enum ofp_version ofp_version,
|
|
}
|
|
|
|
bucket_list_len = ntohs(ogm->bucket_array_len);
|
|
+ if (bucket_list_len > msg->size) {
|
|
+ return OFPERR_OFPBRC_BAD_LEN;
|
|
+ }
|
|
error = ofputil_pull_ofp15_buckets(msg, bucket_list_len, ofp_version,
|
|
gm->type, &gm->buckets);
|
|
if (error) {
|