[ovs-dev] [PATCH] odp-util: Fix a use-afer-free bug

Yifeng Sun pkusunyifeng at gmail.com
Fri Oct 5 21:50:39 UTC 2018


After ofpbug_put, actions may have been reallocated and
key will point to invalid memory address.

Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10796
Signed-off-by: Yifeng Sun <pkusunyifeng at gmail.com>
---
 lib/odp-util.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/lib/odp-util.c b/lib/odp-util.c
index 890c71b7f336..7705bb30ae21 100644
--- a/lib/odp-util.c
+++ b/lib/odp-util.c
@@ -2242,13 +2242,14 @@ parse_odp_action(const char *s, const struct simap *port_names,
                 key->nla_len += size;
                 ofpbuf_put(actions, mask + 1, size);
 
-                /* Add new padding as needed */
-                ofpbuf_put_zeros(actions, NLA_ALIGN(key->nla_len) -
-                                          key->nla_len);
-
                 /* 'actions' may have been reallocated by ofpbuf_put(). */
                 nested = ofpbuf_at_assert(actions, start_ofs, sizeof *nested);
                 nested->nla_type = OVS_ACTION_ATTR_SET_MASKED;
+
+                key = nested + 1;
+                /* Add new padding as needed */
+                ofpbuf_put_zeros(actions, NLA_ALIGN(key->nla_len) -
+                                          key->nla_len);
             }
         }
         ofpbuf_uninit(&maskbuf);
-- 
2.7.4



More information about the dev mailing list