ofp-util: Avoid use-after-free in ofputil_encode_flow_mod().

nx_put_match() can reallocate the ofpbuf's data so we need to reload the pointer. Found by inspection. Signed-off-by: Ben Pfaff <blp@nicira.com>
author: Ben Pfaff <blp@nicira.com> 2012-06-23 22:34:39 -0700
committer: Ben Pfaff <blp@nicira.com> 2012-06-25 17:01:38 -0700
commit: 47f200357a3a19e9553c96b9749397c4812ebfce (patch)
tree: 0fb024db1c99cdbc351ffbde539beadd7d8aaad8
parent: 3af38c1d6d59b4fe6eeb65c7fdfd3a896c5437c3 (diff)
download: openvswitch-47f200357a3a19e9553c96b9749397c4812ebfce.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/ofp-util.c b/lib/ofp-util.c
index 15de6076f..655746f75 100644
--- a/lib/ofp-util.c
+++ b/lib/ofp-util.c
@@ -1496,10 +1496,10 @@ ofputil_encode_flow_mod(const struct ofputil_flow_mod *fm,
     case OFPUTIL_P_NXM_TID:
         msg = ofpbuf_new(sizeof *nfm + NXM_TYPICAL_LEN + actions_len);
         put_nxmsg(sizeof *nfm, NXT_FLOW_MOD, msg);
+        match_len = nx_put_match(msg, &fm->cr, fm->cookie, fm->cookie_mask);
         nfm = msg->data;
         nfm->command = htons(command);
         nfm->cookie = fm->new_cookie;
-        match_len = nx_put_match(msg, &fm->cr, fm->cookie, fm->cookie_mask);
         nfm->idle_timeout = htons(fm->idle_timeout);
         nfm->hard_timeout = htons(fm->hard_timeout);
         nfm->priority = htons(fm->cr.priority);
author	Ben Pfaff <blp@nicira.com>	2012-06-23 22:34:39 -0700
committer	Ben Pfaff <blp@nicira.com>	2012-06-25 17:01:38 -0700
commit	47f200357a3a19e9553c96b9749397c4812ebfce (patch)
tree	0fb024db1c99cdbc351ffbde539beadd7d8aaad8
parent	3af38c1d6d59b4fe6eeb65c7fdfd3a896c5437c3 (diff)
download	openvswitch-47f200357a3a19e9553c96b9749397c4812ebfce.tar.gz