On Tue, Sep 27, 2016, at 05:19 AM, Michał Rzepka <[email protected]> wrote: > Recently, I discovered major multipart message parser flaw. The issue > was observed while testing Aggregate Flow Statistics message in OpenFlow > 1.5 and Open vSwitch. Similar (and potentially also vulnerable) code > snippets are also present in other message parsers (e.g. OFPHello). I'd > like to ask for opinions on proposed solution. If accepted, similar > patches should also be applied for other message parsers. >
This is an *excellent* catch, and I *completely* agree. I suspect that the code, as a whole, needs auditing for message parsing vulnerabilities; your catch, as well as the one found by Samuel Jero, makes me fear that there are *many* such input validation bugs. I hope that Fujita-san applies this patch, as well as any others you submit to resolve any similar such errors, as soon as possible. Thanks, Victor -- Victor J. Orlikowski <> vjo@[cs.]duke.edu ------------------------------------------------------------------------------ _______________________________________________ Ryu-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/ryu-devel
