[ovs-dev] [PATCH 2/4] ofp-actions: Fix use-after-free in bundle action.
Joe Stringer
joe at ovn.org
Sat Mar 5 20:44:54 UTC 2016
On 5 March 2016 at 09:13, William Tu <u9012063 at gmail.com> wrote:
> Hi Joe,
>
> On Thu, Mar 3, 2016 at 12:22 AM, Joe Stringer <joe at ovn.org> wrote:
>>
>> If the actions list in an incoming flow mod is long enough, and there is
>> a bundle() action with 3 or more slaves, then it is possible for a
>> index ae961f6cc5bb..fe1424f137a1 100644
>> --- a/lib/ofp-actions.c
>> +++ b/lib/ofp-actions.c
>> @@ -1253,9 +1253,9 @@ decode_bundle(bool load, const struct
>> nx_action_bundle *nab,
>> for (i = 0; i < bundle->n_slaves; i++) {
>> uint16_t ofp_port = ntohs(((ovs_be16 *)(nab + 1))[i]);
>> ofpbuf_put(ofpacts, &ofp_port, sizeof ofp_port);
>> + bundle = ofpacts->header;
>> }
>>
>> - bundle = ofpacts->header;
>> ofpact_finish(ofpacts, &bundle->ofpact);
>>
>
> I think we need to add another
> bundle = ofpacts->header;
> right after
> ofpact_finish(ofpacts, &bundle->ofpact);
>
> Since ofpact_finish could potentially call ofpbuf_put_zero and realloc
> buffer to new address.
I agree, though fortunately this only affects master. There's also
another case in CT action. I can follow up on this, thanks for
pointing it out.
More information about the dev
mailing list