From 07ee811374b9ec7e4c152d12fdc2eaf483555215 Mon Sep 17 00:00:00 2001 From: Denis Ovsienko Date: Wed, 23 Sep 2020 11:16:59 +0100 Subject: OpenFlow 1.0: Fix queue properties decoding. In of10_queue_props_print() the "skip" branch tested and skipped 4 bytes too many, so a malformed queue property would likely result in an odd truncation or incorrect decoding of subsequent data (this is based on code analysis only). Get the offset and the size right and add a comment to explain it. Add and update other comments to clarify a few similar subtleties that are easy to get wrong. --- print-openflow.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'print-openflow.c') diff --git a/print-openflow.c b/print-openflow.c index 894306d1..c82e1368 100644 --- a/print-openflow.c +++ b/print-openflow.c @@ -99,7 +99,13 @@ of_header_body_print(netdissect_options *ndo, const u_char *cp, const u_char *ep * the basic header. A message length underrun fails decoding of the rest of * the current packet. At the same time, try decoding as much of the current * message as possible even when it does not end within the current TCP - * segment. */ + * segment. + * + * That is, do NOT require the header "length" to be small enough for + * the full declared OpenFlow message to fit into the remainder of the + * declared TCP segment given to this function, same as the full declared + * TCP segment is not required to fit into the captured packet buffer. + */ if (length < OF_HEADER_LEN) { of_header_print(ndo, version, type, length, xid); goto invalid; -- cgit v1.2.1