This code blindly read forward for the number of bytes specified by the message without checking that it was in range.
This bug is part of OpenFlow 1.5 support. Open vSwitch does not enable OpenFlow 1.5 support by default. Reported-by: Bhargava Shastry <[email protected]> Signed-off-by: Ben Pfaff <[email protected]> --- lib/ofp-util.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/ofp-util.c b/lib/ofp-util.c index f05ca398c13e..46bc628d4191 100644 --- a/lib/ofp-util.c +++ b/lib/ofp-util.c @@ -9581,6 +9581,9 @@ ofputil_pull_ofp15_group_mod(struct ofpbuf *msg, enum ofp_version ofp_version, } bucket_list_len = ntohs(ogm->bucket_array_len); + if (bucket_list_len > msg->size) { + return OFPERR_OFPBRC_BAD_LEN; + } error = ofputil_pull_ofp15_buckets(msg, bucket_list_len, ofp_version, gm->type, &gm->buckets); if (error) { -- 2.10.2 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
