[ovs-dev] [PATCH] ofp-util: Fix buffer overread in ofputil_decode_bundle_add().

Ben Pfaff Tue, 19 Sep 2017 11:23:20 -0700

A buffer overread of up to 4 bytes was possible given a malformed
message.  The message was discarded following the overread.


Reported-by: Bhargava Shastry <bshas...@sec.t-labs.tu-berlin.de>
Signed-off-by: Ben Pfaff <b...@ovn.org>
---
 lib/ofp-util.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/ofp-util.c b/lib/ofp-util.c
index 86dd5cb61653..e915cb2ab2d7 100644
--- a/lib/ofp-util.c
+++ b/lib/ofp-util.c
@@ -10517,6 +10517,9 @@ ofputil_decode_bundle_add(const struct ofp_header *oh,
     msg->bundle_id = ntohl(m->bundle_id);
     msg->flags = ntohs(m->flags);
 
+    if (b.size < sizeof(struct ofp_header)) {
+        return OFPERR_OFPBFC_MSG_BAD_LEN;
+    }
     msg->msg = b.data;
     if (msg->msg->version != oh->version) {
         return OFPERR_OFPBFC_BAD_VERSION;
-- 
2.10.2

_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [PATCH] ofp-util: Fix buffer overread in ofputil_decode_bundle_add().

Reply via email to