diff options
author | Ben Pfaff <blp@ovn.org> | 2017-09-22 14:50:41 -0700 |
---|---|---|
committer | Ben Pfaff <blp@ovn.org> | 2017-09-22 14:51:11 -0700 |
commit | 5d6ac33c970687aa5f7d63a61a8a543d3ae62901 (patch) | |
tree | f2dae4b0ff24d27ebd16d23774df16cabea38878 /lib/ofp-util.c | |
parent | 4a13542103b971bc335f62887dfb0360943c9ec1 (diff) | |
download | openvswitch-5d6ac33c970687aa5f7d63a61a8a543d3ae62901.tar.gz |
ofp-util: Fix buffer overread in ofputil_decode_bundle_add().
A buffer overread of up to 4 bytes was possible given a malformed
message. The message was discarded following the overread.
Found by libFuzzer.
Reported-by: Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Justin Pettit <jpettit@ovn.org>
Diffstat (limited to 'lib/ofp-util.c')
-rw-r--r-- | lib/ofp-util.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/lib/ofp-util.c b/lib/ofp-util.c index 86dd5cb61..319f8cfd1 100644 --- a/lib/ofp-util.c +++ b/lib/ofp-util.c @@ -10509,14 +10509,21 @@ ofputil_decode_bundle_add(const struct ofp_header *oh, enum ofptype *typep) { struct ofpbuf b = ofpbuf_const_initializer(oh, ntohs(oh->length)); + + /* Pull the outer ofp_header. */ enum ofpraw raw = ofpraw_pull_assert(&b); ovs_assert(raw == OFPRAW_OFPT14_BUNDLE_ADD_MESSAGE || raw == OFPRAW_ONFT13_BUNDLE_ADD_MESSAGE); + /* Pull the bundle_ctrl header. */ const struct ofp14_bundle_ctrl_msg *m = ofpbuf_pull(&b, sizeof *m); msg->bundle_id = ntohl(m->bundle_id); msg->flags = ntohs(m->flags); + /* Pull the inner ofp_header. */ + if (b.size < sizeof(struct ofp_header)) { + return OFPERR_OFPBFC_MSG_BAD_LEN; + } msg->msg = b.data; if (msg->msg->version != oh->version) { return OFPERR_OFPBFC_BAD_VERSION; |