In lib/ofp-util.c in Open vSwitch (OvS) before 2.8.1, there are multiple memory leaks while parsing malformed OpenFlow group mod messages. An attacker can use this for a Denial of Service.
Created openvswitch tracking bugs for this issue:
Affects: fedora-all [bug 1497967]
Analysis: Currently when parsing group mod messages, particularly group descriptor messages and those that contain buckets, the buckets will be loaded into memory. If for some reason the parsing fails and the function returns an error the references to the buckets already allocated is lost (memory leak).
Openflow being what it is, a standard for managing switches from a centralised control plane it is unlikely that those not already in a significant position to abuse / DoS the service would be able to use these vulnerabilities. As it stands the two memory leaks require failures in the parsing of the group descriptor, to systematically cause this failure and create a denial of service (memory exhaustion etc) would be difficult.
Relevant information for others:
Ben Pfaff downgraded the severity of this bug: https://mail.openvswitch.org/pipermail/ovs-dev/2017-October/339432.html
Upstream is applying to have the CVE rejected, which we agree with. After some consideration we are closing it as notabug.
Do you have the reproducer of this bug?
(In reply to Junhan from comment #7)
> Hi Andrej,
> Do you have the reproducer of this bug?
Hello Junhan, there is no reproducer as far as I'm aware of. This issue has also been rejected as a security issue.
Red Hat Product Security determined that this flaw was not a security vulnerability. See the Bugzilla link for more details.