diff options
author | William Tu <u9012063@gmail.com> | 2016-03-04 18:00:46 -0800 |
---|---|---|
committer | Joe Stringer <joe@ovn.org> | 2016-03-07 11:08:07 -0800 |
commit | 81bec2c9bc5362597950058cdbf6b0165f84a92d (patch) | |
tree | d6dc046ad519255f3811a82db7422c3d60c0e7ee /lib | |
parent | aacaeb373079bf774770c0f7f183873a6ce9bbb4 (diff) | |
download | openvswitch-81bec2c9bc5362597950058cdbf6b0165f84a92d.tar.gz |
ofpbuf: Fix use-after-free in bundle parse.
Address pointed by bundle could be obsolete/free'd when
realloc, called from ofpbuf_put_zero(), returns new address.
Reported by Valgrind 367: ovs-ofctl parse-flows (NXM)
Invalid write of size 4
bundle_parse__ (bundle.c:200)
bundle_parse_load (bundle.c:272)
parse_bundle_load (ofp-actions.c:1324)
ofpacts_parse__ (ofp-actions.c:7484)
ofpacts_parse (ofp-actions.c:7540)
ofpacts_parse_copy (ofp-actions.c:7558)
parse_ofp_str__ (ofp-parse.c:491)
parse_ofp_str (ofp-parse.c:544)
parse_ofp_flow_mod_str (ofp-parse.c:870)
Address 0x7a4e96c is 12 bytes inside a block of size 64 free'd
free (vg_replace_malloc.c:530)
ofpbuf_resize__ (ofpbuf.c:246) (purposely add to force using new buf)
ofpbuf_put_zeros (ofpbuf.c:375)
bundle_parse__ (bundle.c:181)
bundle_parse_load (bundle.c:272)
parse_bundle_load (ofp-actions.c:1324)
ofpacts_parse__ (ofp-actions.c:7484)
ofpacts_parse (ofp-actions.c:7540)
ofpacts_parse_copy (ofp-actions.c:7558)
Signed-off-by: William Tu <u9012063@gmail.com>
Signed-off-by: Joe Stringer <joe@ovn.org>
Diffstat (limited to 'lib')
-rw-r--r-- | lib/bundle.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/lib/bundle.c b/lib/bundle.c index 871a724e8..1451e928f 100644 --- a/lib/bundle.c +++ b/lib/bundle.c @@ -180,6 +180,7 @@ bundle_parse__(const char *s, char **save_ptr, } ofpact_finish(ofpacts, &bundle->ofpact); + bundle = ofpacts->header; bundle->basis = atoi(basis); if (!strcasecmp(fields, "eth_src")) { |