[ovs-dev] [PATCH] odp-util: Fix a use-afer-free bug
Yifeng Sun
pkusunyifeng at gmail.com
Fri Oct 5 21:50:39 UTC 2018
After ofpbug_put, actions may have been reallocated and
key will point to invalid memory address.
Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10796
Signed-off-by: Yifeng Sun <pkusunyifeng at gmail.com>
---
lib/odp-util.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/lib/odp-util.c b/lib/odp-util.c
index 890c71b7f336..7705bb30ae21 100644
--- a/lib/odp-util.c
+++ b/lib/odp-util.c
@@ -2242,13 +2242,14 @@ parse_odp_action(const char *s, const struct simap *port_names,
key->nla_len += size;
ofpbuf_put(actions, mask + 1, size);
- /* Add new padding as needed */
- ofpbuf_put_zeros(actions, NLA_ALIGN(key->nla_len) -
- key->nla_len);
-
/* 'actions' may have been reallocated by ofpbuf_put(). */
nested = ofpbuf_at_assert(actions, start_ofs, sizeof *nested);
nested->nla_type = OVS_ACTION_ATTR_SET_MASKED;
+
+ key = nested + 1;
+ /* Add new padding as needed */
+ ofpbuf_put_zeros(actions, NLA_ALIGN(key->nla_len) -
+ key->nla_len);
}
}
ofpbuf_uninit(&maskbuf);
--
2.7.4
More information about the dev
mailing list