[ovs-dev] [bondlib 02/19] packets: Fix potential use-after-free in compose_benign_packet().
Ethan Jackson
ethan at nicira.com
Sat Mar 26 00:04:44 UTC 2011
Looks Good.
On Fri, Mar 25, 2011 at 10:35 AM, Ben Pfaff <blp at nicira.com> wrote:
> The second call to ofpbuf_put_zeros() could cause the 'eth' pointer to
> be invalidated.
>
> It appears that this does not fix a real bug because the existing callers
> all preallocate 128 bytes of tailroom, but the interface doesn't document
> that requirement.
> ---
> lib/packets.c | 29 +++++++----------------------
> 1 files changed, 7 insertions(+), 22 deletions(-)
>
> diff --git a/lib/packets.c b/lib/packets.c
> index 8cb1b6d..f16e749 100644
> --- a/lib/packets.c
> +++ b/lib/packets.c
> @@ -1,5 +1,5 @@
> /*
> - * Copyright (c) 2009, 2010 Nicira Networks.
> + * Copyright (c) 2009, 2010, 2011 Nicira Networks.
> *
> * Licensed under the Apache License, Version 2.0 (the "License");
> * you may not use this file except in compliance with the License.
> @@ -66,28 +66,13 @@ void
> compose_benign_packet(struct ofpbuf *b, const char *tag, uint16_t snap_type,
> const uint8_t eth_src[ETH_ADDR_LEN])
> {
> - struct eth_header *eth;
> - struct llc_snap_header *llc_snap;
> + size_t tag_size = strlen(tag) + 1;
> + char *payload;
>
> - /* Compose basic packet structure. (We need the payload size to stick into
> - * the 802.2 header.) */
> - ofpbuf_clear(b);
> - eth = ofpbuf_put_zeros(b, ETH_HEADER_LEN);
> - llc_snap = ofpbuf_put_zeros(b, LLC_SNAP_HEADER_LEN);
> - ofpbuf_put(b, tag, strlen(tag) + 1); /* Includes null byte. */
> - ofpbuf_put(b, eth_src, ETH_ADDR_LEN);
> -
> - /* Compose 802.2 header. */
> - memcpy(eth->eth_dst, eth_addr_broadcast, ETH_ADDR_LEN);
> - memcpy(eth->eth_src, eth_src, ETH_ADDR_LEN);
> - eth->eth_type = htons(b->size - ETH_HEADER_LEN);
> -
> - /* Compose LLC, SNAP headers. */
> - llc_snap->llc.llc_dsap = LLC_DSAP_SNAP;
> - llc_snap->llc.llc_ssap = LLC_SSAP_SNAP;
> - llc_snap->llc.llc_cntl = LLC_CNTL_SNAP;
> - memcpy(llc_snap->snap.snap_org, "\x00\x23\x20", 3);
> - llc_snap->snap.snap_type = htons(snap_type);
> + payload = snap_compose(b, eth_addr_broadcast, eth_src, 0x002320, snap_type,
> + tag_size + ETH_ADDR_LEN);
> + memcpy(payload, tag, tag_size);
> + memcpy(payload + tag_size, eth_src, ETH_ADDR_LEN);
> }
>
> /* Stores the string representation of the IPv6 address 'addr' into the
> --
> 1.7.1
>
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev
>
More information about the dev
mailing list