mirror of
https://github.com/faucetsdn/ryu.git
synced 2026-01-24 18:11:24 +01:00
cb83c858cd
Recently, I discovered major multipart message parser flaw. The issue was observed while testing Aggregate Flow Statistics message in OpenFlow 1.5 and Open vSwitch. Similar (and potentially also vulnerable) code snippets are also present in other message parsers (e.g. OFPHello). I'd like to ask for opinions on proposed solution. If accepted, similar patches should also be applied for other message parsers. Brief description (steps to reproduce the issue): 1. REST API is called to retrieve aggregate flow stats: curl http://localhost:8080/stats/aggregateflow/8796750139643 2. Open vSwitch replies to Aggregate Stats Request with Aggregate Stats Reply: message buffer: 0x06 0x13 0x00 0x28 0x53 0xfe 0xc4 0xaf 0x00 0x02 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 (note that due to incomplete OF 1.5 support in OvS, message is malformed - ofp_stats struct filled with zeros) 3. Message is processed by Ryu parsers: ofproto_parser.msg -> ofproto_v1_5_parser.msg_parser -> ofproto_v1_5_parser.OFPMultipartReply.parser 4. Here, message body contents are parsed (ofproto_v1_5_parser.OFPMultipartReply.parser, lines 1858-1861): while offset < msg_len: b = stats_type_cls.cls_stats_body_cls.parser(msg.buf, offset) body.append(b) offset += b.length if hasattr(b, 'length') else b.len 5. Due to incorrect message format, zero-filled message part is parsed as b=OFPAggregateStats(length=0,stats=OFPStats(oxs_fields={})), resulting in constant offset value, as in each iteration offset += 0. 6. Parser remains trapped in a infinite loop with offset = 16, msg_len = 40. Ryu controller hangs completely. OFPMultipartReply parser was observed to handle malformed messages improperly. The patch introduces offset check to fix processing of malformed messages in ofproto_v1_5_parser.OFPMultipartReply.parser. Signed-off-by: Michal Rzepka <mrzepka@student.agh.edu.pl> Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
What's Ryu
==========
Ryu is a component-based software defined networking framework.
Ryu provides software components with well defined API that make it
easy for developers to create new network management and control
applications. Ryu supports various protocols for managing network
devices, such as OpenFlow, Netconf, OF-config, etc. About OpenFlow,
Ryu supports fully 1.0, 1.2, 1.3, 1.4, 1.5 and Nicira Extensions.
All of the code is freely available under the Apache 2.0 license. Ryu
is fully written in Python.
Quick Start
===========
Installing Ryu is quite easy::
% pip install ryu
If you prefer to install Ryu from the source code::
% git clone git://github.com/osrg/ryu.git
% cd ryu; python ./setup.py install
If you want to write your Ryu application, have a look at
`Writing ryu application <http://ryu.readthedocs.io/en/latest/writing_ryu_app.html>`_ document.
After writing your application, just type::
% ryu-manager yourapp.py
Optional Requirements
=====================
Some functionalities of ryu requires extra packages:
- OF-Config requires lxml
- NETCONF requires paramiko
- BGP speaker (ssh console) requires paramiko
- OVSDB support requires ovs (Note: python 3.4 requires ovs>=2.6.0.dev0)
If you want to use the functionalities, please install requirements::
% pip install lxml
% pip install paramiko
% pip install ovs
Support
=======
Ryu Official site is `<http://osrg.github.io/ryu/>`_.
If you have any
questions, suggestions, and patches, the mailing list is available at
`ryu-devel ML
<https://lists.sourceforge.net/lists/listinfo/ryu-devel>`_.
`The ML archive at Gmane <http://dir.gmane.org/gmane.network.ryu.devel>`_
is also available.