ofp-util: Check length of buckets in ofputil_pull_ofp15_group_mod().

This code blindly read forward for the number of bytes specified by the message without checking that it was in range. This bug is part of OpenFlow 1.5 support. Open vSwitch does not enable OpenFlow 1.5 support by default. Reported-by: Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de> Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Yi-Hung Wei <yihung.wei@gmail.com>
openvswitch · Jul 7, 2017 · 9cdb3e7 · 9cdb3e7
1 parent fdbf476
commit 9cdb3e7
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/lib/ofp-util.c b/lib/ofp-util.c
@@ -8813,6 +8813,9 @@ ofputil_pull_ofp15_group_mod(struct ofpbuf *msg, enum ofp_version ofp_version,
     }
 
     bucket_list_len = ntohs(ogm->bucket_array_len);
+    if (bucket_list_len > msg->size) {
+        return OFPERR_OFPBRC_BAD_LEN;
+    }
     error = ofputil_pull_ofp15_buckets(msg, bucket_list_len, ofp_version,
                                        gm->type, &gm->buckets);
     if (error) {