Reported-by: Bhargava Shastry <bshastry at sec.t-labs.tu-berlin.de>
Signed-off-by: Ben Pfaff <blp at ovn.org>
---
lib/ofp-util.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lib/ofp-util.c b/lib/ofp-util.c
index f05ca398c13e..46bc628d4191 100644
--- a/lib/ofp-util.c
+++ b/lib/ofp-util.c
@@ -9581,6 +9581,9 @@ ofputil_pull_ofp15_group_mod(struct ofpbuf *msg, enum ofp_version ofp_version,
}
bucket_list_len = ntohs(ogm->bucket_array_len);
+ if (bucket_list_len > msg->size) {
+ return OFPERR_OFPBRC_BAD_LEN;
+ }
error = ofputil_pull_ofp15_buckets(msg, bucket_list_len, ofp_version,
gm->type, &gm->buckets);
if (error) {
--