diff options
| author | Ben Pfaff <blp@ovn.org> | 2017-09-21 09:59:57 -0700 |
|---|---|---|
| committer | Ben Pfaff <blp@ovn.org> | 2017-09-22 14:56:28 -0700 |
| commit | 77ad4225d125030420d897c873e4734ac708c66b (patch) | |
| tree | ca0dac93fc824bf19e0d7e304c4fe84955534b01 /lib | |
| parent | 5d6ac33c970687aa5f7d63a61a8a543d3ae62901 (diff) | |
| download | openvswitch-77ad4225d125030420d897c873e4734ac708c66b.tar.gz | |
ofp-util: Fix memory leaks on error cases in ofputil_decode_group_mod().
Found by libFuzzer.
Reported-by: Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Justin Pettit <jpettit@ovn.org>
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/ofp-util.c | 82 |
1 files changed, 48 insertions, 34 deletions
diff --git a/lib/ofp-util.c b/lib/ofp-util.c index 319f8cfd1..9f69c31e0 100644 --- a/lib/ofp-util.c +++ b/lib/ofp-util.c @@ -9174,6 +9174,7 @@ ofputil_pull_ofp11_buckets(struct ofpbuf *msg, size_t buckets_length, if (!ob) { VLOG_WARN_RL(&bad_ofmsg_rl, "buckets end with %"PRIuSIZE" leftover bytes", buckets_length); + ofputil_bucket_list_destroy(buckets); return OFPERR_OFPGMFC_BAD_BUCKET; } @@ -9181,11 +9182,13 @@ ofputil_pull_ofp11_buckets(struct ofpbuf *msg, size_t buckets_length, if (ob_len < sizeof *ob) { VLOG_WARN_RL(&bad_ofmsg_rl, "OpenFlow message bucket length " "%"PRIuSIZE" is not valid", ob_len); + ofputil_bucket_list_destroy(buckets); return OFPERR_OFPGMFC_BAD_BUCKET; } else if (ob_len > buckets_length) { VLOG_WARN_RL(&bad_ofmsg_rl, "OpenFlow message bucket length " "%"PRIuSIZE" exceeds remaining buckets data size %"PRIuSIZE, ob_len, buckets_length); + ofputil_bucket_list_destroy(buckets); return OFPERR_OFPGMFC_BAD_BUCKET; } buckets_length -= ob_len; @@ -9817,6 +9820,7 @@ ofputil_pull_ofp11_group_mod(struct ofpbuf *msg, enum ofp_version ofp_version, && gm->command == OFPGC11_DELETE && !ovs_list_is_empty(&gm->buckets)) { error = OFPERR_OFPGMFC_INVALID_GROUP; + ofputil_bucket_list_destroy(&gm->buckets); } return error; @@ -9881,41 +9885,9 @@ ofputil_pull_ofp15_group_mod(struct ofpbuf *msg, enum ofp_version ofp_version, msg->size); } -/* Converts OpenFlow group mod message 'oh' into an abstract group mod in - * 'gm'. Returns 0 if successful, otherwise an OpenFlow error code. */ -enum ofperr -ofputil_decode_group_mod(const struct ofp_header *oh, - struct ofputil_group_mod *gm) +static enum ofperr +ofputil_check_group_mod(const struct ofputil_group_mod *gm) { - ofputil_init_group_properties(&gm->props); - - enum ofp_version ofp_version = oh->version; - struct ofpbuf msg = ofpbuf_const_initializer(oh, ntohs(oh->length)); - ofpraw_pull_assert(&msg); - - enum ofperr err; - switch (ofp_version) - { - case OFP11_VERSION: - case OFP12_VERSION: - case OFP13_VERSION: - case OFP14_VERSION: - err = ofputil_pull_ofp11_group_mod(&msg, ofp_version, gm); - break; - - case OFP15_VERSION: - case OFP16_VERSION: - err = ofputil_pull_ofp15_group_mod(&msg, ofp_version, gm); - break; - - case OFP10_VERSION: - default: - OVS_NOT_REACHED(); - } - if (err) { - return err; - } - switch (gm->type) { case OFPGT11_INDIRECT: if (gm->command != OFPGC11_DELETE @@ -9977,6 +9949,48 @@ ofputil_decode_group_mod(const struct ofp_header *oh, return 0; } +/* Converts OpenFlow group mod message 'oh' into an abstract group mod in + * 'gm'. Returns 0 if successful, otherwise an OpenFlow error code. */ +enum ofperr +ofputil_decode_group_mod(const struct ofp_header *oh, + struct ofputil_group_mod *gm) +{ + ofputil_init_group_properties(&gm->props); + + enum ofp_version ofp_version = oh->version; + struct ofpbuf msg = ofpbuf_const_initializer(oh, ntohs(oh->length)); + ofpraw_pull_assert(&msg); + + enum ofperr err; + switch (ofp_version) + { + case OFP11_VERSION: + case OFP12_VERSION: + case OFP13_VERSION: + case OFP14_VERSION: + err = ofputil_pull_ofp11_group_mod(&msg, ofp_version, gm); + break; + + case OFP15_VERSION: + case OFP16_VERSION: + err = ofputil_pull_ofp15_group_mod(&msg, ofp_version, gm); + break; + + case OFP10_VERSION: + default: + OVS_NOT_REACHED(); + } + if (err) { + return err; + } + + err = ofputil_check_group_mod(gm); + if (err) { + ofputil_uninit_group_mod(gm); + } + return err; +} + /* Destroys 'bms'. */ void ofputil_free_bundle_msgs(struct ofputil_bundle_msg *bms, size_t n_bms) |