nx-match: Fix use-after-free parsing matches.

Address pointed by header_ptr might be free'd due to realloc
happened in ofpbuf_put_hex(). Reported by valgrind in the test
379: check TCP flags expression in OXM and NXM.

Invalid write of size 4
    nx_match_from_string_raw (nx-match.c:1510)
    nx_match_from_string (nx-match.c:1538)
    ofctl_parse_nxm__ (ovs-ofctl.c:3325)
    ovs_cmdl_run_command (command-line.c:121)
    main (ovs-ofctl.c:137)

Address 0x7a2cc40 is 0 bytes inside a block of size 64 free'd
    free (vg_replace_malloc.c:530)
    ofpbuf_resize__ (ofpbuf.c:246)
    ofpbuf_put (ofpbuf.c:386)
    ofpbuf_put_hex (ofpbuf.c:414)
    nx_match_from_string_raw (nx-match.c:1488)
    nx_match_from_string (nx-match.c:1538)
    ofctl_parse_nxm__ (ovs-ofctl.c:3325)

Reported-by: William Tu <u9012063@gmail.com>
Signed-off-by: Joe Stringer <joe@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>

1 files changed, 2 insertions, 3 deletions

diff --git a/lib/nx-match.c b/lib/nx-match.c
index 5cad24c08..edac68bcf 100644
--- a/lib/nx-match.c
+++ b/lib/nx-match.c
@@ -1468,7 +1468,6 @@ nx_match_from_string_raw(const char *s, struct ofpbuf *b)
         const char *name;
         uint64_t header;
         ovs_be64 nw_header;
-        ovs_be64 *header_ptr;
         int name_len;
         size_t n;
 
@@ -1485,7 +1484,7 @@ nx_match_from_string_raw(const char *s, struct ofpbuf *b)
 
         s += name_len + 1;
 
-        header_ptr = ofpbuf_put_uninit(b, nxm_header_len(header));
+        b->header = ofpbuf_put_uninit(b, nxm_header_len(header));
         s = ofpbuf_put_hex(b, s, &n);
         if (n != nxm_field_bytes(header)) {
             const struct mf_field *field = mf_from_oxm_header(header);
@@ -1508,7 +1507,7 @@ nx_match_from_string_raw(const char *s, struct ofpbuf *b)
             }
         }
         nw_header = htonll(header);
-        memcpy(header_ptr, &nw_header, nxm_header_len(header));
+        memcpy(b->header, &nw_header, nxm_header_len(header));
 
         if (nxm_hasmask(header)) {
             s += strspn(s, " ");