[OPNFLWPLUG-559] Openflow allows semi-valid input before handshake completion Created: 06/Oct/15 Updated: 27/Sep/21 Resolved: 26/Jun/17 |
|
| Status: | Resolved |
| Project: | OpenFlowPlugin |
| Component/s: | General |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | ||
| Reporter: | Anton Ivanov | Assignee: | Anton Ivanov |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Operating System: All |
||
| External issue ID: | 4420 |
| Description |
|
Usually, any violation of the "handshake order" is considered an attack attempt or invalid input and the protocol handler should immediately close the connection. This is the standard best practice (mostly for security reasons). ODL Openflow does not comply to this best practice. If you send a message with valid framing before the HELLO + FEATURES handshake is complete the connection is not closed. Example - send an Echo, PacketIn as a first message from switch before the FEATURES_REPLY. The controller will proceed oblivious to the fact that the client has obviously tried to feed garbage input. |
| Comments |
| Comment by Jozef Bacigal [ 20/Jun/17 ] |
|
On what version and on what design have you tested it? I think this was vulnerability in the He-design. Can you re-test it on the latest code ? |