On Tue, Sep 27, 2016, at 05:19 AM, Michał Rzepka <mrze...@student.agh.edu.pl> wrote: > Recently, I discovered major multipart message parser flaw. The issue > was observed while testing Aggregate Flow Statistics message in OpenFlow > 1.5 and Open vSwitch. Similar (and potentially also vulnerable) code > snippets are also present in other message parsers (e.g. OFPHello). I'd > like to ask for opinions on proposed solution. If accepted, similar > patches should also be applied for other message parsers. >
This is an *excellent* catch, and I *completely* agree. I suspect that the code, as a whole, needs auditing for message parsing vulnerabilities; your catch, as well as the one found by Samuel Jero, makes me fear that there are *many* such input validation bugs. I hope that Fujita-san applies this patch, as well as any others you submit to resolve any similar such errors, as soon as possible. Thanks, Victor -- Victor J. Orlikowski <> vjo@[cs.]duke.edu ------------------------------------------------------------------------------ _______________________________________________ Ryu-devel mailing list Ryu-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ryu-devel