summaryrefslogtreecommitdiff
blob: 33686df3acfa316a3a8fe8066217269ac880de7b (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
Fix buffer overrread in ofputil_pull_queue_get_config_reply10()

msg->size isn't the relevant measurement here because we're only supposed
to read 'len' bytes.  Reading more than that causes 'len' to underflow to a
large number at the end of the loop.

Reported-by: Bhargava Shastry <bshastry at sec.t-labs.tu-berlin.de>
Signed-off-by: Ben Pfaff <blp at ovn.org>
---
 lib/ofp-util.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/ofp-util.c b/lib/ofp-util.c
index bdf89b6c3017..f05ca398c13e 100644
--- a/lib/ofp-util.c
+++ b/lib/ofp-util.c
@@ -2610,7 +2610,7 @@ ofputil_pull_queue_get_config_reply10(struct ofpbuf *msg,

         hdr = ofpbuf_at_assert(msg, 0, sizeof *hdr);
         prop_len = ntohs(hdr->len);
-        if (prop_len < sizeof *hdr || prop_len > msg->size || prop_len % 8) {
+        if (prop_len < sizeof *hdr || prop_len > len || prop_len % 8) {
             return OFPERR_OFPBRC_BAD_LEN;
         }

--
2.10.2