> On Sep 21, 2017, at 9:59 AM, Ben Pfaff <[email protected]> wrote: > > A buffer overread of up to 4 bytes was possible given a malformed > message. The message was discarded following the overread. > > Found by libFuzzer. > > Reported-by: Bhargava Shastry <[email protected]> > Signed-off-by: Ben Pfaff <[email protected]> > --- > lib/ofp-util.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/lib/ofp-util.c b/lib/ofp-util.c > index 86dd5cb61653..e915cb2ab2d7 100644 > --- a/lib/ofp-util.c > +++ b/lib/ofp-util.c > @@ -10517,6 +10517,9 @@ ofputil_decode_bundle_add(const struct ofp_header *oh, > msg->bundle_id = ntohl(m->bundle_id); > msg->flags = ntohs(m->flags); > > + if (b.size < sizeof(struct ofp_header)) { > + return OFPERR_OFPBFC_MSG_BAD_LEN; > + }
Do you mind adding a brief comment indicating that this is checking the inner OpenFlow header? It will help people like me who miss that. :-) Acked-by: Justin Pettit <[email protected]> Thanks, --Justin _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
