Red Hat Bugzilla – Bug 1497966
CVE-2017-14970 openvswitch: Multiple memory leaks in lib/ofp-util.c while parsing malformed OpenFlow group mod messages
Last modified: 2017-10-25 11:22:38 EDT
In lib/ofp-util.c in Open vSwitch (OvS) before 2.8.1, there are multiple memory leaks while parsing malformed OpenFlow group mod messages. An attacker can use this for a Denial of Service. Upstream fixes: https://github.com/openvswitch/ovs/commit/77ad4225d125030420d897c873e4734ac708c66b https://github.com/openvswitch/ovs/commit/f673f4059717dc9d2d6dd2d4db52be1149a996dd
Created openvswitch tracking bugs for this issue: Affects: fedora-all [bug 1497967]
Analysis: Currently when parsing group mod messages, particularly group descriptor messages and those that contain buckets, the buckets will be loaded into memory. If for some reason the parsing fails and the function returns an error the references to the buckets already allocated is lost (memory leak). Openflow being what it is, a standard for managing switches from a centralised control plane it is unlikely that those not already in a significant position to abuse / DoS the service would be able to use these vulnerabilities. As it stands the two memory leaks require failures in the parsing of the group descriptor, to systematically cause this failure and create a denial of service (memory exhaustion etc) would be difficult.
Relevant information for others: Ben Pfaff downgraded the severity of this bug: https://mail.openvswitch.org/pipermail/ovs-dev/2017-October/339432.html
Upstream is applying to have the CVE rejected, which we agree with. After some consideration we are closing it as notabug. https://mail.openvswitch.org/pipermail/ovs-dev/2017-October/339435.html
Hi Andrej, Do you have the reproducer of this bug? Thanks, Junhan
(In reply to Junhan from comment #7) > Hi Andrej, > Do you have the reproducer of this bug? > Thanks, > Junhan Hello Junhan, there is no reproducer as far as I'm aware of. This issue has also been rejected as a security issue.