[ovs-discuss] Arguments to memcmp() must be nonnull

Justin Pettit jpettit at nicira.com
Tue Aug 11 17:25:05 UTC 2015


> On Aug 11, 2015, at 12:23 AM, neeraj mehta <mehtaneeraj07 at gmail.com> wrote:
> 
> Hi,
> 
> There is a possible defect in "utilities/ovs-ofctl.c" line 2013 OVS-2.3.2.
> 
> In ovs-ofctl.c, NULL(in certain conditions) being passed as argument in memcmp().
> ISO C says that the arguments to memcmp() must not be NULL.
> 
> ---
> 
> "lib/ofpbuf.h" 425L, 14598C OVS-2.3.2
> 
> static inline void * ofpbuf_l3(const struct ofpbuf *b)
> {
>     return b->l3_ofs != UINT16_MAX ? (char *)b->frame + b->l3_ofs : NULL;
> }
> ---
> 
> ---
> "utilities/ovs-ofctl.c" line 2013 OVS-2.3.2
> if (ofptype_pull(&type, reply)
>             || type != OFPTYPE_ECHO_REPLY
>             || ofpbuf_size(reply) != payload
>             || memcmp(ofpbuf_l3(request), ofpbuf_l3(reply), payload)) {
> ---
> 
> One of possible solutions for this can be:
> 
> ---
> "utilities/ovs-ofctl.c" line 2013 OVS-2.3.2
> if (ofptype_pull(&type, reply)
>              || type != OFPTYPE_ECHO_REPLY
>              || ofpbuf_size(reply) != payload
> +           || !ofpbuf_l3(request) || !ofpbuf_l3(reply)
>              || memcmp(ofpbuf_l3(request), ofpbuf_l3(reply), payload)) {
> ---
> 
> Can someone confirm the above understanding?
> If this is an issue, I will submit a patch against this.

Do you see a way for "l3_ofs" to not bet set?  It looks to me like "request" is set by ofpraw_alloc() and "reply" is set by ofptype_pull().

--Justin





More information about the discuss mailing list