diff options
| author | William Tu <u9012063@gmail.com> | 2016-03-04 15:18:54 -0800 |
|---|---|---|
| committer | Joe Stringer <joe@ovn.org> | 2016-03-07 11:08:07 -0800 |
| commit | ef5774e30e3232e6d25e6e0d03cdf1fed6577505 (patch) | |
| tree | d8b13138f3a5e9017f8384866bb664c8e2bb7a71 /tutorial | |
| parent | 81bec2c9bc5362597950058cdbf6b0165f84a92d (diff) | |
| download | openvswitch-ef5774e30e3232e6d25e6e0d03cdf1fed6577505.tar.gz | |
ofp-util: Fix use-after-free in group append.
It is possible for ofpbuf_put() to realloc a newly allocated address,
casuing the previously referenced pointer, ogds, points to old/free'd
address. The issue is generated by forcing ofpbuf_put() to use newly
allocated buffer and valgrind reports invalid write. The similiar syndrome
is reported at: https://patchwork.ozlabs.org/patch/591330/
Invalid write of size 2
ofputil_append_ofp15_group_desc_reply (ofp-util.c:8367)
ofputil_append_group_desc_reply (ofp-util.c:8392)
append_group_desc (ofproto.c:6262)
handle_group_request (ofproto.c:6230)
handle_group_desc_stats_request (ofproto.c:6269)
handle_openflow__ (ofproto.c:7337)
handle_openflow (ofproto.c:7403)
ofconn_run (connmgr.c:1379)
connmgr_run (connmgr.c:323)
ofproto_run (ofproto.c:1762)
bridge_run__ (bridge.c:2885)
bridge_run (bridge.c:2940)
main (ovs-vswitchd.c:120)
Address 0x7cb1020 is 144 bytes inside a block of size 1,144 free'd
free (vg_replace_malloc.c:530)
ofpbuf_resize__ (ofpbuf.c:246)
ofpbuf_put (ofpbuf.c:386)
nx_put_header__ (nx-match.c:1241)
nxm_put__ (nx-match.c:697)
oxm_put_field_array (nx-match.c:1226)
ofputil_put_group_prop_ntr_selection_method (ofp-util.c:8305)
ofputil_append_ofp15_group_desc_reply (ofp-util.c:8364)
ofputil_append_group_desc_reply (ofp-util.c:8392)
append_group_desc (ofproto.c:6262)
Signed-off-by: William Tu <u9012063@gmail.com>
Signed-off-by: Joe Stringer <joe@ovn.org>
Diffstat (limited to 'tutorial')
0 files changed, 0 insertions, 0 deletions