File 0001-ofp-util-Check-length-of-buckets-in-ofputil_pull_ofp.patch of Package openvswitch.6197

From 9cdb3e7c373cdcf5072372631e31d13f1a600e91 Mon Sep 17 00:00:00 2001
From: Ben Pfaff <blp@ovn.org>
Date: Fri, 26 May 2017 12:59:06 -0700
Subject: [PATCH] ofp-util: Check length of buckets in
 ofputil_pull_ofp15_group_mod().

This code blindly read forward for the number of bytes specified by the
message without checking that it was in range.

This bug is part of OpenFlow 1.5 support.  Open vSwitch does not enable
OpenFlow 1.5 support by default.

Reported-by: Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Yi-Hung Wei <yihung.wei@gmail.com>
---
 lib/ofp-util.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/ofp-util.c b/lib/ofp-util.c
index 13adff3f7..f0ed5bee3 100644
--- a/lib/ofp-util.c
+++ b/lib/ofp-util.c
@@ -8813,6 +8813,9 @@ ofputil_pull_ofp15_group_mod(struct ofpbuf *msg, enum ofp_version ofp_version,
     }
 
     bucket_list_len = ntohs(ogm->bucket_array_len);
+    if (bucket_list_len > msg->size) {
+        return OFPERR_OFPBRC_BAD_LEN;
+    }
     error = ofputil_pull_ofp15_buckets(msg, bucket_list_len, ofp_version,
                                        gm->type, &gm->buckets);
     if (error) {
-- 
2.15.0