[ovs-dev] [PATCH] datapath: Fix buffer overrun in mask array realloc.
Pravin Shelar
pshelar at nicira.com
Fri Jul 25 23:47:30 UTC 2014
On Fri, Jul 25, 2014 at 4:36 PM, Andy Zhou <azhou at nicira.com> wrote:
> Good catch!
>
> Acked-by: Andy Zhou <azhou at nicira.com>
>
Thanks,
I pushed it to master and branch 2.3.
> On Fri, Jul 25, 2014 at 4:22 PM, Pravin B Shelar <pshelar at nicira.com> wrote:
>> mask realloc copies elements from old array to new array. When
>> shrinking array it can go beyond allocated memory.
>>
>> Signed-off-by: Pravin B Shelar <pshelar at nicira.com>
>> ---
>> datapath/flow_table.c | 3 ++-
>> 1 files changed, 2 insertions(+), 1 deletions(-)
>>
>> diff --git a/datapath/flow_table.c b/datapath/flow_table.c
>> index 765930e..21f67bf 100644
>> --- a/datapath/flow_table.c
>> +++ b/datapath/flow_table.c
>> @@ -247,9 +247,10 @@ static int tbl_mask_array_realloc(struct flow_table *tbl, int size)
>> if (old) {
>> int i;
>>
>> - for (i = 0; i < old->max; i++)
>> + for (i = 0; i < min(old->max, new->max); i++)
>> new->masks[i] = old->masks[i];
>>
>> + BUG_ON(old->count > new->max);
>> new->count = old->count;
>> }
>> rcu_assign_pointer(tbl->mask_array, new);
>> --
>> 1.7.1
>>
>> _______________________________________________
>> dev mailing list
>> dev at openvswitch.org
>> http://openvswitch.org/mailman/listinfo/dev
More information about the dev
mailing list