Skip to content

Instantly share code, notes, and snippets.

View ErodedElk's full-sized avatar

TokameinE ErodedElk

97 followers · 10 following
View GitHub Profile
@ErodedElk
ErodedElk / Ryu_OFPTableFeaturesStats.md
Created April 10, 2024 06:20
An issue was discovered in OFPTableFeaturesStats in parser.py in Faucet SDN Ryu version 4.34, allows remote attackers to cause a denial of service (DoS) (infinite loop).

in /ryu/ofproto/ofproto_v1_3_parser.py about line=5269

        while rest:
            p, rest = OFPTableFeatureProp.parse(rest)
            props.append(p)
        table_features.properties = props

The rest variable here is obtained through the following code:

@ErodedElk
ErodedElk / Ryu_OFPHello.md
Created April 9, 2024 17:28
An issue was discovered in OFPHello in parser.py in Faucet SDN Ryu version 4.34, allows remote attackers to cause a denial of service (DoS) (infinite loop).

in /ryu/ofproto/ofproto_v1_3_parser.py about line=139

class OFPHello(MsgBase):
...
    @classmethod
    def parser(cls, datapath, version, msg_type, msg_len, xid, buf):
        msg = super(OFPHello, cls).parser(datapath, version, msg_type,
                                          msg_len, xid, buf)

        offset = ofproto.OFP_HELLO_HEADER_SIZE
@ErodedElk
ErodedElk / Ryu_OFPBucket.md
Created April 9, 2024 17:19
An issue was discovered in OFPBucket in parser.py in Faucet SDN Ryu version 4.34, allows remote attackers to cause a denial of service (DoS) (infinite loop).

in /ryu/ofproto/ofproto_v1_3_parser.py about line=3607

class OFPBucket(StringifyMixin):
    @classmethod
    def parser(cls, buf, offset):
        (len_, weight, watch_port, watch_group) = struct.unpack_from(
            ofproto.OFP_BUCKET_PACK_STR, buf, offset)
        ....
        while length < msg.len:
@ErodedElk
ErodedElk / Ryu_OFPGroupDescStats.md
Created April 9, 2024 17:15
An issue was discovered in OFPGroupDescStats in parser.py in Faucet SDN Ryu version 4.34, allows remote attackers to cause a denial of service (DoS) (infinite loop).

in /ryu/ofproto/ofproto_v1_3_parser.py about line=4685

class OFPGroupDescStats(StringifyMixin):
    @classmethod
    def parser(cls, buf, offset):
    ....
        while length < stats.length:
            bucket = OFPBucket.parser(buf, offset)
            stats.buckets.append(bucket)
@ErodedElk
ErodedElk / Ryu_OFPFlowStats.md
Created April 9, 2024 17:01
An issue was discovered in OFPFlowStats in parser.py in Faucet SDN Ryu version 4.34, allows remote attackers to cause a denial of service (DoS) (infinite loop).

in /ryu/ofproto/ofproto_v1_3_parser.py about line=4083

class OFPFlowStats(StringifyMixin):
        while inst_length > 0:
            inst = OFPInstruction.parser(buf, offset)
            instructions.append(inst)
            offset += inst.len
            inst_length -= inst.len
@ErodedElk
ErodedElk / Ryu_OFPMultipartReply.md
Created April 9, 2024 13:29
An issue was discovered in OFPMultipartReply in parser.py in Faucet SDN Ryu version 4.34, allows remote attackers to cause a denial of service (DoS) (infinite loop).

in /ryu/ofproto/ofproto_v1_3_parser.py about line=3943

class OFPMultipartReply(MsgBase):
    _STATS_MSG_TYPES = {}
    ....
    @classmethod
    def parser(cls, datapath, version, msg_type, msg_len, xid, buf):
    ....
            while offset < msg_len:
@ErodedElk
ErodedElk / Ryu_OFPPacketQueue.md
Created April 9, 2024 05:55

in /ryu/ofproto/ofproto_v1_3_parser.py about line=6026

class OFPPacketQueue(StringifyMixin):
....
    @classmethod
    def parser(cls, buf, offset):
    ....
        while length < len_:
 queue_prop = OFPQueueProp.parser(buf, offset)
@ErodedElk
ErodedElk / Ryu_OFPTableFeaturesStats.md
Created April 6, 2024 12:04
OFPTableFeaturesStats parser Bug

in /ryu/ofproto/ofproto_v1_3_parser.py about line=5269

        while rest:
            p, rest = OFPTableFeatureProp.parse(rest)
            props.append(p)
        table_features.properties = props

The rest variable here is obtained through the following code:

@ErodedElk
ErodedElk / BugRef.md
Last active April 4, 2024 03:13
BugRef

CVE-2024-29461

Describe the bug

After the controller establishes a connection with the switch, if the malicious switch sets its datapath ID to be the same as the ID of the existing switch, the controller will disconnect the previous switch.

To Reproduce

Steps to reproduce the behavior:

@ErodedElk
ErodedElk / ReadMe.md
Last active March 30, 2024 05:46
CVE-2024-28732-Ref

CVE-2024-28732

in /ryu/ofproto/ofproto_v1_3_parser.py about line=1050

class OFPFlowMod(MsgBase):
....
        while offset < msg_len:
            i = OFPInstruction.parser(buf, offset)
 instructions.append(i)