On Sat, 2017-05-20 at 16:41 -0700, Ben Pfaff wrote: > msg->size isn't the relevant measurement here because we're only supposed > to read 'len' bytes. Reading more than that causes 'len' to underflow to a > large number at the end of the loop. > > Reported-by: Bhargava Shastry <[email protected]> > Signed-off-by: Ben Pfaff <[email protected]> > --- > lib/ofp-util.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/lib/ofp-util.c b/lib/ofp-util.c > index bdf89b6c3017..f05ca398c13e 100644 > --- a/lib/ofp-util.c > +++ b/lib/ofp-util.c > @@ -2610,7 +2610,7 @@ ofputil_pull_queue_get_config_reply10(struct ofpbuf > *msg, > > hdr = ofpbuf_at_assert(msg, 0, sizeof *hdr); > prop_len = ntohs(hdr->len); > - if (prop_len < sizeof *hdr || prop_len > msg->size || prop_len % 8) { > + if (prop_len < sizeof *hdr || prop_len > len || prop_len % 8) { > return OFPERR_OFPBRC_BAD_LEN; > } >
Yikes. Good catch. Acked-by: Greg Rose <[email protected]> _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
