diff options
author | Joe Stringer <joe@ovn.org> | 2016-03-07 11:31:02 -0800 |
---|---|---|
committer | Joe Stringer <joe@ovn.org> | 2016-03-30 10:11:16 +1300 |
commit | e659c96bca2c9dbb800ce7882610fd39172c1cef (patch) | |
tree | e09d7e92def9efe9470a4c10887eea114d24dd19 /lib/nx-match.c | |
parent | f3ea2ad27fd076735fdb78286980749bb12fe1ce (diff) | |
download | openvswitch-e659c96bca2c9dbb800ce7882610fd39172c1cef.tar.gz |
nx-match: Fix use-after-free parsing matches.
Address pointed by header_ptr might be free'd due to realloc
happened in ofpbuf_put_hex(). Reported by valgrind in the test
379: check TCP flags expression in OXM and NXM.
Invalid write of size 4
nx_match_from_string_raw (nx-match.c:1510)
nx_match_from_string (nx-match.c:1538)
ofctl_parse_nxm__ (ovs-ofctl.c:3325)
ovs_cmdl_run_command (command-line.c:121)
main (ovs-ofctl.c:137)
Address 0x7a2cc40 is 0 bytes inside a block of size 64 free'd
free (vg_replace_malloc.c:530)
ofpbuf_resize__ (ofpbuf.c:246)
ofpbuf_put (ofpbuf.c:386)
ofpbuf_put_hex (ofpbuf.c:414)
nx_match_from_string_raw (nx-match.c:1488)
nx_match_from_string (nx-match.c:1538)
ofctl_parse_nxm__ (ovs-ofctl.c:3325)
Reported-by: William Tu <u9012063@gmail.com>
Signed-off-by: Joe Stringer <joe@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
Diffstat (limited to 'lib/nx-match.c')
-rw-r--r-- | lib/nx-match.c | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/lib/nx-match.c b/lib/nx-match.c index 5cad24c08..edac68bcf 100644 --- a/lib/nx-match.c +++ b/lib/nx-match.c @@ -1468,7 +1468,6 @@ nx_match_from_string_raw(const char *s, struct ofpbuf *b) const char *name; uint64_t header; ovs_be64 nw_header; - ovs_be64 *header_ptr; int name_len; size_t n; @@ -1485,7 +1484,7 @@ nx_match_from_string_raw(const char *s, struct ofpbuf *b) s += name_len + 1; - header_ptr = ofpbuf_put_uninit(b, nxm_header_len(header)); + b->header = ofpbuf_put_uninit(b, nxm_header_len(header)); s = ofpbuf_put_hex(b, s, &n); if (n != nxm_field_bytes(header)) { const struct mf_field *field = mf_from_oxm_header(header); @@ -1508,7 +1507,7 @@ nx_match_from_string_raw(const char *s, struct ofpbuf *b) } } nw_header = htonll(header); - memcpy(header_ptr, &nw_header, nxm_header_len(header)); + memcpy(b->header, &nw_header, nxm_header_len(header)); if (nxm_hasmask(header)) { s += strspn(s, " "); |