[ovs-dev] [PATCH] ofproto-dpif: Avoid dereferencing possibly null or wild pointer.
Ben Pfaff
blp at nicira.com
Thu Aug 16 20:37:44 UTC 2012
If ofpacts_len is 0 then ofpacts->type is a bad reference.
(An early draft of ofpacts used an OFPACT_END sentinel so that there was
always data there in this function, but in review the sentinel got deleted
and I did not notice that this function needed an update.)
Found by valgrind.
Bug #12847.
Signed-off-by: Ben Pfaff <blp at nicira.com>
---
ofproto/ofproto-dpif.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/ofproto/ofproto-dpif.c b/ofproto/ofproto-dpif.c
index a7e85de..444df14 100644
--- a/ofproto/ofproto-dpif.c
+++ b/ofproto/ofproto-dpif.c
@@ -3794,7 +3794,8 @@ facet_is_controller_flow(struct facet *facet)
const struct ofpact *ofpacts = rule->ofpacts;
size_t ofpacts_len = rule->ofpacts_len;
- if (ofpacts->type == OFPACT_CONTROLLER &&
+ if (ofpacts_len > 0 &&
+ ofpacts->type == OFPACT_CONTROLLER &&
ofpact_next(ofpacts) >= ofpact_end(ofpacts, ofpacts_len)) {
return true;
}
--
1.7.2.5
More information about the dev
mailing list