blob: 33686df3acfa316a3a8fe8066217269ac880de7b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
Fix buffer overrread in ofputil_pull_queue_get_config_reply10()
msg->size isn't the relevant measurement here because we're only supposed
to read 'len' bytes. Reading more than that causes 'len' to underflow to a
large number at the end of the loop.
Reported-by: Bhargava Shastry <bshastry at sec.t-labs.tu-berlin.de>
Signed-off-by: Ben Pfaff <blp at ovn.org>
---
lib/ofp-util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/ofp-util.c b/lib/ofp-util.c
index bdf89b6c3017..f05ca398c13e 100644
--- a/lib/ofp-util.c
+++ b/lib/ofp-util.c
@@ -2610,7 +2610,7 @@ ofputil_pull_queue_get_config_reply10(struct ofpbuf *msg,
hdr = ofpbuf_at_assert(msg, 0, sizeof *hdr);
prop_len = ntohs(hdr->len);
- if (prop_len < sizeof *hdr || prop_len > msg->size || prop_len % 8) {
+ if (prop_len < sizeof *hdr || prop_len > len || prop_len % 8) {
return OFPERR_OFPBRC_BAD_LEN;
}
--
2.10.2
|
