File 0001-ofp-util-Fix-buffer-overread-in-ofputil_pu... of Package openvswitch.6197

Overview Repositories Revisions Requests Users Attributes Meta

File 0001-ofp-util-Fix-buffer-overread-in-ofputil_pull_queue_g.patch of Package openvswitch.6197

From 09a97a31daba025177f2e4fbad5ae19e7701ee04 Mon Sep 17 00:00:00 2001
From: Ben Pfaff <blp@ovn.org>
Date: Sat, 20 May 2017 16:38:24 -0700
Subject: [PATCH] ofp-util: Fix buffer overread in
 ofputil_pull_queue_get_config_reply().

msg->size isn't the relevant measurement here because we're only supposed
to read 'len' bytes.  Reading more than that causes 'len' to underflow to a
large number at the end of the loop.

Reported-by: Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Greg Rose <gvrose8192@gmail.com>
---
 lib/ofp-util.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/ofp-util.c b/lib/ofp-util.c
index cbe1472c5..5a6f699cc 100644
--- a/lib/ofp-util.c
+++ b/lib/ofp-util.c
@@ -2695,7 +2695,7 @@ ofputil_pull_queue_get_config_reply(struct ofpbuf *reply,
 
         hdr = ofpbuf_at_assert(reply, 0, sizeof *hdr);
         prop_len = ntohs(hdr->len);
-        if (prop_len < sizeof *hdr || prop_len > reply->size || prop_len % 8) {
+        if (prop_len < sizeof *hdr || prop_len > len || prop_len % 8) {
             return OFPERR_OFPBRC_BAD_LEN;
         }
 
-- 
2.15.0

Places

File 0001-ofp-util-Fix-buffer-overread-in-ofputil_pull_queue_g.patch of Package openvswitch.6197

Places