From c70be058b54c8359ceafbf3dda5e8dc63499d3a5 Mon Sep 17 00:00:00 2001 From: Reyk Floeter Date: Fri, 11 Aug 2017 13:48:22 +0000 Subject: Fix out-of-bounds read when looking up the message handler. This could be triggered by an OpenFlow packet with the message type of 30 ... because C array indexes start at 0. Coverity CID 1453219; Severity: Major OK millert@ goda@ --- sys/net/switchofp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'sys/net/switchofp.c') diff --git a/sys/net/switchofp.c b/sys/net/switchofp.c index 2d3a4706d5e..1a56b73ed64 100644 --- a/sys/net/switchofp.c +++ b/sys/net/switchofp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: switchofp.c,v 1.62 2017/07/19 12:29:22 claudio Exp $ */ +/* $OpenBSD: switchofp.c,v 1.63 2017/08/11 13:48:21 reyk Exp $ */ /* * Copyright (c) 2016 Kazuya GODA @@ -1215,7 +1215,7 @@ swofp_lookup_oxm_handler(struct ofp_ox_match *oxm) ofp_msg_handler swofp_lookup_msg_handler(uint8_t type) { - if (type > OFP_T_TYPE_MAX) + if (type >= OFP_T_TYPE_MAX) return (NULL); else return (ofp_msg_table[type].msg_handler); -- cgit v1.2.3