You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
31 lines
1.1 KiB
31 lines
1.1 KiB
From 7b7b186a8d40fc6f287cef2582702181da74bdc3 Mon Sep 17 00:00:00 2001
|
|
From: Ben Pfaff <blp@ovn.org>
|
|
Date: Sat, 20 May 2017 16:38:24 -0700
|
|
Subject: [PATCH] ofp-util: Fix buffer overread in
|
|
ofputil_pull_queue_get_config_reply10().
|
|
|
|
msg->size isn't the relevant measurement here because we're only supposed
|
|
to read 'len' bytes. Reading more than that causes 'len' to underflow to a
|
|
large number at the end of the loop.
|
|
|
|
Reported-by: Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de>
|
|
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
Acked-by: Greg Rose <gvrose8192@gmail.com>
|
|
---
|
|
lib/ofp-util.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/lib/ofp-util.c b/lib/ofp-util.c
|
|
index db27abf8bc..a6dd5dbddf 100644
|
|
--- a/lib/ofp-util.c
|
|
+++ b/lib/ofp-util.c
|
|
@@ -2598,7 +2598,7 @@ ofputil_pull_queue_get_config_reply10(struct ofpbuf *msg,
|
|
|
|
hdr = ofpbuf_at_assert(msg, 0, sizeof *hdr);
|
|
prop_len = ntohs(hdr->len);
|
|
- if (prop_len < sizeof *hdr || prop_len > msg->size || prop_len % 8) {
|
|
+ if (prop_len < sizeof *hdr || prop_len > len || prop_len % 8) {
|
|
return OFPERR_OFPBRC_BAD_LEN;
|
|
}
|
|
|