Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP5:Update
openvswitch.6197
0001-ofp-util-Fix-buffer-overread-in-ofputil_pu...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0001-ofp-util-Fix-buffer-overread-in-ofputil_pull_queue_g.patch of Package openvswitch.6197
From 09a97a31daba025177f2e4fbad5ae19e7701ee04 Mon Sep 17 00:00:00 2001 From: Ben Pfaff <blp@ovn.org> Date: Sat, 20 May 2017 16:38:24 -0700 Subject: [PATCH] ofp-util: Fix buffer overread in ofputil_pull_queue_get_config_reply(). msg->size isn't the relevant measurement here because we're only supposed to read 'len' bytes. Reading more than that causes 'len' to underflow to a large number at the end of the loop. Reported-by: Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de> Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Greg Rose <gvrose8192@gmail.com> --- lib/ofp-util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/ofp-util.c b/lib/ofp-util.c index cbe1472c5..5a6f699cc 100644 --- a/lib/ofp-util.c +++ b/lib/ofp-util.c @@ -2695,7 +2695,7 @@ ofputil_pull_queue_get_config_reply(struct ofpbuf *reply, hdr = ofpbuf_at_assert(reply, 0, sizeof *hdr); prop_len = ntohs(hdr->len); - if (prop_len < sizeof *hdr || prop_len > reply->size || prop_len % 8) { + if (prop_len < sizeof *hdr || prop_len > len || prop_len % 8) { return OFPERR_OFPBRC_BAD_LEN; } -- 2.15.0
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor