Headline
CVE-2020-35141: Suggestion for OFPQueueGetConfigReply parser with queue.len=0 · Issue #118 · faucetsdn/ryu
An issue was discovered in OFPQueueGetConfigReply in parser.py in Faucet SDN Ryu version 4.34, allows remote attackers to cause a denial of service (DoS) (infinite loop).
The same questions are as follows:
In /ryu/ofproto/ofproto_v1_0_parser.py about line=2077
class OFPQueueGetConfigReply(MsgBase):
....
offset = ofproto.OFP_QUEUE_GET_CONFIG_REPLY_SIZE
while offset + ofproto.OFP_PACKET_QUEUE_SIZE <= msg_len:
queue = OFPPacketQueue.parser(msg.buf, offset)
msg.queues.append(queue)
offset += queue.len
In /ryu/ofproto/ofproto_v1_2_parser.py about line=3187
class OFPQueueGetConfigReply(MsgBase):
....
length = ofproto.OFP_QUEUE_GET_CONFIG_REPLY_SIZE
offset = ofproto.OFP_QUEUE_GET_CONFIG_REPLY_SIZE
while length < msg.msg_len:
queue = OFPPacketQueue.parser(msg.buf, offset)
msg.queues.append(queue)
offset += queue.len
length += queue.len
In /ryu/ofproto/ofproto_v1_4_parser.py about line=5763
class OFPBundleCtrlMsg(MsgBase):
....
msg.bundle_id = bundle_id
msg.type = type_
msg.flags = flags
msg.properties = []
rest = msg.buf[ofproto.OFP_BUNDLE_CTRL_MSG_SIZE:]
while rest:
p, rest = OFPBundleProp.parse(rest)
msg.properties.append(p)
In /ryu/ofproto/ofproto_v1_5_parser.py about line=6864
class OFPBundleCtrlMsg(MsgBase):
....
msg.bundle_id = bundle_id
msg.type = type_
msg.flags = flags
msg.properties = []
rest = msg.buf[ofproto.OFP_BUNDLE_CTRL_MSG_SIZE:]
while rest:
p, rest = OFPBundleProp.parse(rest)
msg.properties.append(p)Related news
GHSA-5x64-925v-h4gv: FaucetSDN Ryu Denial of Service Vulnerability
An issue was discovered in `OFPQueueGetConfigReply` in `parser.py` in FaucetSDN Ryu version 4.34, allows remote attackers to cause a denial of service (DoS) (infinite loop).