ofp-actions: Properly check for action that exceeds buffer length.

Commit c2d936a44fa (ofp-actions: Centralize all OpenFlow action code for maintainability.) rewrote OpenFlow action parsing but failed to check that actions don't overflow their buffers. This commit fixes the problem and adds negative tests so that this bug doesn't recur. Reported-by: Tomer Pearl <Tomer.Pearl@Contextream.com> Signed-off-by: Ben Pfaff <blp@nicira.com> Acked-by: Justin Pettit <jpettit@nicira.com>
author: Ben Pfaff <blp@nicira.com> 2014-10-23 14:34:04 -0700
committer: Ben Pfaff <blp@nicira.com> 2014-10-23 14:34:04 -0700
commit: b153b9903272f858ee1bbaaba0768f5f2d6506e7 (patch)
tree: 361182ab6d6ac61e85adc6ab94e53a9d6df4a383 /lib/ofp-actions.c
parent: 09cac43f740b0aef1ef1cb656d952f56bedd7fec (diff)
download: openvswitch-b153b9903272f858ee1bbaaba0768f5f2d6506e7.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/lib/ofp-actions.c b/lib/ofp-actions.c
index 7d9ee585a..41c76226d 100644
--- a/lib/ofp-actions.c
+++ b/lib/ofp-actions.c
@@ -6406,6 +6406,11 @@ ofpact_pull_raw(struct ofpbuf *buf, enum ofp_version ofp_version,
     }
 
     length = ntohs(oah->len);
+    if (length > ofpbuf_size(buf)) {
+        VLOG_WARN_RL(&rl, "OpenFlow action %s length %u exceeds action buffer "
+                     "length %"PRIu32, action->name, length, ofpbuf_size(buf));
+        return OFPERR_OFPBAC_BAD_LEN;
+    }
     if (length < action->min_length || length > action->max_length) {
         VLOG_WARN_RL(&rl, "OpenFlow action %s length %u not in valid range "
                      "[%hu,%hu]", action->name, length,
author	Ben Pfaff <blp@nicira.com>	2014-10-23 14:34:04 -0700
committer	Ben Pfaff <blp@nicira.com>	2014-10-23 14:34:04 -0700
commit	b153b9903272f858ee1bbaaba0768f5f2d6506e7 (patch)
tree	361182ab6d6ac61e85adc6ab94e53a9d6df4a383 /lib/ofp-actions.c
parent	09cac43f740b0aef1ef1cb656d952f56bedd7fec (diff)
download	openvswitch-b153b9903272f858ee1bbaaba0768f5f2d6506e7.tar.gz