[ovs-dev] [PATCH] datapath: Fix buffer overrun in mask array realloc.

Andy Zhou azhou at nicira.com
Fri Jul 25 23:36:18 UTC 2014


Good catch!

Acked-by: Andy Zhou <azhou at nicira.com>

On Fri, Jul 25, 2014 at 4:22 PM, Pravin B Shelar <pshelar at nicira.com> wrote:
> mask realloc copies elements from old array to new array. When
> shrinking array it can go beyond allocated memory.
>
> Signed-off-by: Pravin B Shelar <pshelar at nicira.com>
> ---
>  datapath/flow_table.c |    3 ++-
>  1 files changed, 2 insertions(+), 1 deletions(-)
>
> diff --git a/datapath/flow_table.c b/datapath/flow_table.c
> index 765930e..21f67bf 100644
> --- a/datapath/flow_table.c
> +++ b/datapath/flow_table.c
> @@ -247,9 +247,10 @@ static int tbl_mask_array_realloc(struct flow_table *tbl, int size)
>         if (old) {
>                 int i;
>
> -               for (i = 0; i < old->max; i++)
> +               for (i = 0; i < min(old->max, new->max); i++)
>                         new->masks[i] = old->masks[i];
>
> +               BUG_ON(old->count > new->max);
>                 new->count = old->count;
>         }
>         rcu_assign_pointer(tbl->mask_array, new);
> --
> 1.7.1
>
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev



More information about the dev mailing list