mir/ovs
2
0
Fork 0
mirror of https://github.com/openvswitch/ovs synced 2025-08-30 22:05:19 +00:00
Code Issues Releases Wiki Activity

ofp-util: Check length of buckets in ofputil_pull_ofp15_group_mod().

Browse Source 
This code blindly read forward for the number of bytes specified by the
message without checking that it was in range.

This bug is part of OpenFlow 1.5 support.  Open vSwitch does not enable
OpenFlow 1.5 support by default.

Reported-by: Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Yi-Hung Wei <yihung.wei@gmail.com>
This commit is contained in:
Ben Pfaff
2017-05-26 12:59:06 -07:00
parent b76d4a81b8
commit 1752ea92dc
1 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
lib/ofp-util.c
View File

@@ -9867,6 +9867,9 @@ ofputil_pull_ofp15_group_mod(struct ofpbuf *msg, enum ofp_version ofp_version,
}
bucket_list_len = ntohs(ogm->bucket_array_len);
if (bucket_list_len > msg->size) {
return OFPERR_OFPBRC_BAD_LEN;
}
error = ofputil_pull_ofp15_buckets(msg, bucket_list_len, ofp_version,
gm->type, &gm->buckets);
if (error) {