diff --git a/openflow/main_user_openflow.c b/openflow/main_user_openflow.c index ff87478..eee3222 100644 --- a/openflow/main_user_openflow.c +++ b/openflow/main_user_openflow.c @@ -256,19 +256,37 @@ handle_ofpmsg_flow_stats(struct ofp_buffer *ofpbuf) { int i = 0, reply_len = 0, flow_stats_offset; struct ofp_flow_stats *current_flow_stats = NULL; + struct ofp_flow_stats *flow_stats_ptr = NULL; struct ofp_buffer *reply_buffer = NULL; struct ofp_multipart *multipart_reply = NULL; + uint16_t flow_length = 0; // 计算长度 - for (; i < FAST_RULE_CNT; i++) { + for (i = 0; i < FAST_RULE_CNT; i++) { if (flow_stats_addr[i] != 0) { - reply_len += ntohs(((struct ofp_flow_stats *)flow_stats_addr[i])->length); + flow_stats_ptr = (struct ofp_flow_stats *)flow_stats_addr[i]; + // 添加空指针检查和长度有效性检查 + if (flow_stats_ptr == NULL) { + continue; + } + flow_length = ntohs(flow_stats_ptr->length); + // 检查长度是否合理(至少应该包含 ofp_flow_stats 结构体大小) + if (flow_length < sizeof(struct ofp_flow_stats) || flow_length > 65535) { + printf("Warning: Invalid flow stats length %d at index %d\n", flow_length, i); + continue; + } + reply_len += flow_length; } } reply_len += sizeof(struct ofp_header) + sizeof(struct ofp_multipart); // 构造响应包 reply_buffer = (struct ofp_buffer *)build_opfmsg_reply_ofpbuf(OFPT_MULTIPART_REPLY, ofpbuf->header.xid, reply_len); + if (reply_buffer == NULL) { + printf("Error: Failed to allocate reply buffer\n"); + return HANDLE; + } + multipart_reply = (struct ofp_multipart *)reply_buffer->data; multipart_reply->type = htons(OFPMP_FLOW); // 标识信息 multipart_reply->flags = htonl(OFPMP_REPLY_MORE_NO); //这条不用回 @@ -279,8 +297,23 @@ handle_ofpmsg_flow_stats(struct ofp_buffer *ofpbuf) for (i = 0; i < FAST_RULE_CNT; i++) { if (flow_stats_addr[i] != 0) { - memcpy(current_flow_stats, (void *)(uintptr_t)flow_stats_addr[i], ntohs(((struct ofp_flow_stats *)flow_stats_addr[i])->length)); - flow_stats_offset += ntohs(current_flow_stats->length); + flow_stats_ptr = (struct ofp_flow_stats *)flow_stats_addr[i]; + // 添加空指针检查 + if (flow_stats_ptr == NULL) { + continue; + } + flow_length = ntohs(flow_stats_ptr->length); + // 再次检查长度有效性 + if (flow_length < sizeof(struct ofp_flow_stats) || flow_length > 65535) { + continue; + } + // 检查是否会超出缓冲区边界 + if (flow_stats_offset + flow_length > reply_len) { + printf("Error: Buffer overflow prevented at index %d\n", i); + break; + } + memcpy(current_flow_stats, (void *)flow_stats_ptr, flow_length); + flow_stats_offset += flow_length; current_flow_stats = (struct ofp_flow_stats *)&reply_buffer->data[flow_stats_offset]; } } diff --git a/openflow/user_openflow b/openflow/user_openflow index e6b977d..03c9620 100755 Binary files a/openflow/user_openflow and b/openflow/user_openflow differ