[ovs-dev] [PATCH v2 2/2] ofp-util: Fix memory leaks on error cases in ofputil_pull_ofp11_buckets().
Ben Pfaff
blp at ovn.org
Wed Sep 20 16:39:32 UTC 2017
Found by libFuzzer.
Reported-by: Bhargava Shastry <bshastry at sec.t-labs.tu-berlin.de>
Signed-off-by: Ben Pfaff <blp at ovn.org>
---
lib/ofp-util.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lib/ofp-util.c b/lib/ofp-util.c
index e915cb2ab2d7..8c294727bfa3 100644
--- a/lib/ofp-util.c
+++ b/lib/ofp-util.c
@@ -9174,6 +9174,7 @@ ofputil_pull_ofp11_buckets(struct ofpbuf *msg, size_t buckets_length,
if (!ob) {
VLOG_WARN_RL(&bad_ofmsg_rl, "buckets end with %"PRIuSIZE" leftover bytes",
buckets_length);
+ ofputil_bucket_list_destroy(buckets);
return OFPERR_OFPGMFC_BAD_BUCKET;
}
@@ -9181,11 +9182,13 @@ ofputil_pull_ofp11_buckets(struct ofpbuf *msg, size_t buckets_length,
if (ob_len < sizeof *ob) {
VLOG_WARN_RL(&bad_ofmsg_rl, "OpenFlow message bucket length "
"%"PRIuSIZE" is not valid", ob_len);
+ ofputil_bucket_list_destroy(buckets);
return OFPERR_OFPGMFC_BAD_BUCKET;
} else if (ob_len > buckets_length) {
VLOG_WARN_RL(&bad_ofmsg_rl, "OpenFlow message bucket length "
"%"PRIuSIZE" exceeds remaining buckets data size %"PRIuSIZE,
ob_len, buckets_length);
+ ofputil_bucket_list_destroy(buckets);
return OFPERR_OFPGMFC_BAD_BUCKET;
}
buckets_length -= ob_len;
--
2.10.2
More information about the dev
mailing list