[ovs-dev] [PATCH] odp-util: Fix a use-afer-free bug
Yifeng Sun
pkusunyifeng at gmail.com
Fri Oct 5 22:43:03 UTC 2018
This patch should also fix the bug reported at
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10802
On Fri, Oct 5, 2018 at 2:50 PM Yifeng Sun <pkusunyifeng at gmail.com> wrote:
> After ofpbug_put, actions may have been reallocated and
> key will point to invalid memory address.
>
> Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10796
> Signed-off-by
> <https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10796Signed-off-by>:
> Yifeng Sun <pkusunyifeng at gmail.com>
> ---
> lib/odp-util.c | 9 +++++----
> 1 file changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/lib/odp-util.c b/lib/odp-util.c
> index 890c71b7f336..7705bb30ae21 100644
> --- a/lib/odp-util.c
> +++ b/lib/odp-util.c
> @@ -2242,13 +2242,14 @@ parse_odp_action(const char *s, const struct simap
> *port_names,
> key->nla_len += size;
> ofpbuf_put(actions, mask + 1, size);
>
> - /* Add new padding as needed */
> - ofpbuf_put_zeros(actions, NLA_ALIGN(key->nla_len) -
> - key->nla_len);
> -
> /* 'actions' may have been reallocated by ofpbuf_put(). */
> nested = ofpbuf_at_assert(actions, start_ofs, sizeof
> *nested);
> nested->nla_type = OVS_ACTION_ATTR_SET_MASKED;
> +
> + key = nested + 1;
> + /* Add new padding as needed */
> + ofpbuf_put_zeros(actions, NLA_ALIGN(key->nla_len) -
> + key->nla_len);
> }
> }
> ofpbuf_uninit(&maskbuf);
> --
> 2.7.4
>
>
More information about the dev
mailing list