[ovs-dev] [PATCH 2/4] ofp-actions: Fix use-after-free in bundle action.
William Tu
u9012063 at gmail.com
Sat Mar 5 17:13:49 UTC 2016
Hi Joe,
On Thu, Mar 3, 2016 at 12:22 AM, Joe Stringer <joe at ovn.org> wrote:
> If the actions list in an incoming flow mod is long enough, and there is
> a bundle() action with 3 or more slaves, then it is possible for a
> index ae961f6cc5bb..fe1424f137a1 100644
> --- a/lib/ofp-actions.c
> +++ b/lib/ofp-actions.c
> @@ -1253,9 +1253,9 @@ decode_bundle(bool load, const struct
> nx_action_bundle *nab,
> for (i = 0; i < bundle->n_slaves; i++) {
> uint16_t ofp_port = ntohs(((ovs_be16 *)(nab + 1))[i]);
> ofpbuf_put(ofpacts, &ofp_port, sizeof ofp_port);
> + bundle = ofpacts->header;
> }
>
> - bundle = ofpacts->header;
> ofpact_finish(ofpacts, &bundle->ofpact);
>
>
I think we need to add another
bundle = ofpacts->header;
right after
ofpact_finish(ofpacts, &bundle->ofpact);
Since ofpact_finish could potentially call ofpbuf_put_zero and realloc
buffer to new address.
Regards,
William
> if (!error) {
> --
> 2.1.4
>
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev
>
More information about the dev
mailing list