On Fri, Sep 22, 2017 at 02:06:01PM -0700, Justin Pettit wrote: > > > On Sep 21, 2017, at 9:59 AM, Ben Pfaff <[email protected]> wrote: > > > > A buffer overread of up to 4 bytes was possible given a malformed > > message. The message was discarded following the overread. > > > > Found by libFuzzer. > > > > Reported-by: Bhargava Shastry <[email protected]> > > Signed-off-by: Ben Pfaff <[email protected]> > > --- > > lib/ofp-util.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/lib/ofp-util.c b/lib/ofp-util.c > > index 86dd5cb61653..e915cb2ab2d7 100644 > > --- a/lib/ofp-util.c > > +++ b/lib/ofp-util.c > > @@ -10517,6 +10517,9 @@ ofputil_decode_bundle_add(const struct ofp_header > > *oh, > > msg->bundle_id = ntohl(m->bundle_id); > > msg->flags = ntohs(m->flags); > > > > + if (b.size < sizeof(struct ofp_header)) { > > + return OFPERR_OFPBFC_MSG_BAD_LEN; > > + } > > Do you mind adding a brief comment indicating that this is checking the inner > OpenFlow header? It will help people like me who miss that. :-) > > Acked-by: Justin Pettit <[email protected]>
Sure, I added some comments and applied this to master and then backported as far as 2.6. _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
