ofp-monitor: Fix abort on malformed flow update event.

nx_to_ofp_flow_update_event() aborts the execution if incorrect event is passed, so checking has to be done before conversion in order to avoid the crash while decoding malformed flow update message: ==397030==ERROR: AddressSanitizer: ABRT on unknown address 0x... ) 0 0x7fd26688418b in raise 1 0x7fd266863858 in abort 2 0x6a6cbd in nx_to_ofp_flow_update_event lib/ofp-monitor.c:399:9 3 0x6a6cbd in ofputil_decode_flow_update lib/ofp-monitor.c:856:25 4 0x56491d in ofp_print_flow_monitor_reply lib/ofp-print.c:779:22 5 0x55f0a0 in ofp_to_string__ lib/ofp-print.c:1154:16 6 0x55f0a0 in ofp_to_string lib/ofp-print.c:1244:21 7 0x5603a5 in ofp_print lib/ofp-print.c:1288:28 Credit to OSS-Fuzz. Additionally removed the extra 'reply' word from the error message, since ofpraw_get_name(raw) already has one. Fixes: c3e64047d1cc ("ofp-monitor: Support flow monitoring for OpenFlow 1.3, 1.4+.") Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47112 Acked-by: Aaron Conole <aconole@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2025-08-22 01:51:26 +00:00 · 2022-04-29 19:21:23 +02:00 · 2022-04-29 19:21:23 +02:00 · 8c506d3725
commit 8c506d3725
parent e8515c8cc0
4 changed files with 13 additions and 9 deletions
--- a/lib/ofp-monitor.c
+++ b/lib/ofp-monitor.c
@ -847,19 +847,20 @@ ofputil_decode_flow_update(struct ofputil_flow_update *update,
    case OFPRAW_ONFST13_FLOW_MONITOR_REPLY:
    case OFPRAW_NXST_FLOW_MONITOR_REPLY: {
        struct nx_flow_update_header *nfuh;
+        enum nx_flow_update_event nx_event;

        if (msg->size < sizeof(struct nx_flow_update_header)) {
            goto bad_len;
        }

        nfuh = msg->data;
-        update->event = nx_to_ofp_flow_update_event(ntohs(nfuh->event));
        length = ntohs(nfuh->length);
        if (length > msg->size || length % 8) {
            goto bad_len;
        }

-        if (update->event == OFPFME_ABBREV) {
+        nx_event = ntohs(nfuh->event);
+        if (nx_event == NXFME_ABBREV) {
            struct nx_flow_update_abbrev *nfua;

            if (length != sizeof *nfua) {
@ -868,10 +869,9 @@ ofputil_decode_flow_update(struct ofputil_flow_update *update,

            nfua = ofpbuf_pull(msg, sizeof *nfua);
            update->xid = nfua->xid;
-            return 0;
-        } else if (update->event == OFPFME_ADDED
-                   || update->event == OFPFME_REMOVED
-                   || update->event == OFPFME_MODIFIED) {
+        } else if (nx_event == NXFME_ADDED
+                   || nx_event == NXFME_DELETED
+                   || nx_event == NXFME_MODIFIED) {
            struct nx_flow_update_full *nfuf;
            unsigned int actions_len;
            unsigned int match_len;
@ -926,12 +926,14 @@ ofputil_decode_flow_update(struct ofputil_flow_update *update,

            update->ofpacts = ofpacts->data;
            update->ofpacts_len = ofpacts->size;
-            return 0;
        } else {
            VLOG_WARN_RL(&rl, "NXST_FLOW_MONITOR reply has bad event %"PRIu16,
                         ntohs(nfuh->event));
            return OFPERR_NXBRC_FM_BAD_EVENT;
        }
+
+        update->event = nx_to_ofp_flow_update_event(nx_event);
+        return 0;
    }
    case OFPRAW_OFPST14_FLOW_MONITOR_REPLY: {
        struct ofp_flow_update_header *ofuh;
@ -1017,8 +1019,8 @@ ofputil_decode_flow_update(struct ofputil_flow_update *update,
        OVS_NOT_REACHED();
    }
 bad_len:
-    VLOG_WARN_RL(&rl, "%s reply has %"PRIu32" leftover bytes at end",
-                ofpraw_get_name(raw), msg->size);
+    VLOG_WARN_RL(&rl, "%s has %"PRIu32" leftover bytes at end",
+                 ofpraw_get_name(raw), msg->size);
    return OFPERR_OFPBRC_BAD_LEN;
 }

--- a/tests/automake.mk
+++ b/tests/automake.mk
@ -117,6 +117,7 @@ FUZZ_REGRESSION_TESTS = \
 	tests/fuzz-regression/flow_extract_fuzzer-5457710546944000 \
 	tests/fuzz-regression/json_parser_fuzzer-4790908707930112 \
 	tests/fuzz-regression/ofp_print_fuzzer-4584019764183040 \
+	tests/fuzz-regression/ofp_print_fuzzer-4671928750702592 \
 	tests/fuzz-regression/ofp_print_fuzzer-4730143510626304 \
 	tests/fuzz-regression/ofp_print_fuzzer-4854119633256448 \
 	tests/fuzz-regression/ofp_print_fuzzer-5070973479944192 \
--- a/tests/fuzz-regression-list.at
+++ b/tests/fuzz-regression-list.at
@ -2,6 +2,7 @@ TEST_FUZZ_REGRESSION([flow_extract_fuzzer-5112775280951296])
 TEST_FUZZ_REGRESSION([flow_extract_fuzzer-5457710546944000])
 TEST_FUZZ_REGRESSION([json_parser_fuzzer-4790908707930112])
 TEST_FUZZ_REGRESSION([ofp_print_fuzzer-4584019764183040])
+TEST_FUZZ_REGRESSION([ofp_print_fuzzer-4671928750702592])
 TEST_FUZZ_REGRESSION([ofp_print_fuzzer-4730143510626304])
 TEST_FUZZ_REGRESSION([ofp_print_fuzzer-4854119633256448])
 TEST_FUZZ_REGRESSION([ofp_print_fuzzer-5070973479944192])
--- a/tests/fuzz-regression/ofp_print_fuzzer-4671928750702592
+++ b/tests/fuzz-regression/ofp_print_fuzzer-4671928750702592