mir/openvswitch
2
0
Fork 0
mirror of https://github.com/openvswitch/ovs synced 2025-10-29 15:28:56 +00:00
Code Issues Releases Wiki Activity

ofp-actions: Properly check for action that exceeds buffer length.

Browse Source 
Commit c2d936a44f (ofp-actions: Centralize all OpenFlow action code for
maintainability.) rewrote OpenFlow action parsing but failed to check that
actions don't overflow their buffers.  This commit fixes the problem and
adds negative tests so that this bug doesn't recur.

Reported-by: Tomer Pearl <Tomer.Pearl@Contextream.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>
This commit is contained in:
Ben Pfaff
2014-10-23 14:34:04 -07:00
parent 09cac43f74
commit b153b99032
2 changed files with 21 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
lib/ofp-actions.c
View File

@@ -6406,6 +6406,11 @@ ofpact_pull_raw(struct ofpbuf *buf, enum ofp_version ofp_version,
}
length = ntohs(oah->len);
if (length > ofpbuf_size(buf)) {
VLOG_WARN_RL(&rl, "OpenFlow action %s length %u exceeds action buffer "
"length %"PRIu32, action->name, length, ofpbuf_size(buf));
return OFPERR_OFPBAC_BAD_LEN;
}
if (length < action->min_length || length > action->max_length) {
VLOG_WARN_RL(&rl, "OpenFlow action %s length %u not in valid range "
"[%hu,%hu]", action->name, length,

16
tests/ofp-actions.at
View File

@@ -119,6 +119,22 @@ ffff 0020 00002320 0015 000500000000 80003039005A02fd 0400000000000000
# actions=sample(probability=12345,collector_set_id=23456,obs_domain_id=34567,obs_point_id=45678)
ffff 0018 00002320 001d 3039 00005BA0 00008707 0000B26E
# bad OpenFlow10 actions: OFPBAC_BAD_LEN
& ofp_actions|WARN|OpenFlow action OFPAT_OUTPUT length 240 exceeds action buffer length 8
& ofp_actions|WARN|bad action at offset 0 (OFPBAC_BAD_LEN):
& 00000000 00 00 00 f0 00 00 00 00-
00 00 00 f0 00 00 00 00
# bad OpenFlow10 actions: OFPBAC_BAD_LEN
& ofp_actions|WARN|OpenFlow action OFPAT_OUTPUT length 16 not in valid range [[8,8]]
& ofp_actions|WARN|bad action at offset 0 (OFPBAC_BAD_LEN):
& 00000000 00 00 00 10 ff fe ff ff-00 00 00 00 00 00 00 00
00 00 00 10 ff fe ff ff 00 00 00 00 00 00 00 00
# bad OpenFlow10 actions: OFPBAC_BAD_LEN
& ofp_actions|WARN|OpenFlow action NXAST_DEC_TTL_CNT_IDS length 17 is not a multiple of 8
ffff 0011 00002320 0015 0001 00000000 0000000000000000
])
sed '/^[[#&]]/d' < test-data > input.txt
sed -n 's/^# //p; /^$/p' < test-data > expout