[ovs-dev] [PATCH 2/4] ofp-actions: Fix use-after-free in bundle action.

Joe Stringer joe at ovn.org
Sat Mar 5 20:44:54 UTC 2016


On 5 March 2016 at 09:13, William Tu <u9012063 at gmail.com> wrote:
> Hi Joe,
>
> On Thu, Mar 3, 2016 at 12:22 AM, Joe Stringer <joe at ovn.org> wrote:
>>
>> If the actions list in an incoming flow mod is long enough, and there is
>> a bundle() action with 3 or more slaves, then it is possible for a
>> index ae961f6cc5bb..fe1424f137a1 100644
>> --- a/lib/ofp-actions.c
>> +++ b/lib/ofp-actions.c
>> @@ -1253,9 +1253,9 @@ decode_bundle(bool load, const struct
>> nx_action_bundle *nab,
>>      for (i = 0; i < bundle->n_slaves; i++) {
>>          uint16_t ofp_port = ntohs(((ovs_be16 *)(nab + 1))[i]);
>>          ofpbuf_put(ofpacts, &ofp_port, sizeof ofp_port);
>> +        bundle = ofpacts->header;
>>      }
>>
>> -    bundle = ofpacts->header;
>>      ofpact_finish(ofpacts, &bundle->ofpact);
>>
>
> I think we need to add another
>       bundle = ofpacts->header;
> right after
>       ofpact_finish(ofpacts, &bundle->ofpact);
>
> Since ofpact_finish could potentially call ofpbuf_put_zero and realloc
> buffer to new address.

I agree, though fortunately this only affects master. There's also
another case in CT action. I can follow up on this, thanks for
pointing it out.



More information about the dev mailing list