[ovs-git] [CudaMailTagged] [openvswitch/ovs] ace39a: ofp-actions: Fix use-after-free in decode_NOTE.

GitHub noreply at github.com
Fri Apr 29 21:08:51 UTC 2016 

  Branch: refs/heads/master
  Home:   https://github.com/openvswitch/ovs
  Commit: ace39a6f63d4c28344ca0e2a2c4233ddbc16b07c
      https://github.com/openvswitch/ovs/commit/ace39a6f63d4c28344ca0e2a2c4233ddbc16b07c
  Author: Joe Stringer <joe at ovn.org>
  Date:   2016-04-29 (Fri, 29 Apr 2016)

  Changed paths:
    M lib/ofp-actions.c
    M tests/ofproto-dpif.at

  Log Message:
  -----------
  ofp-actions: Fix use-after-free in decode_NOTE.

When decoding the 'note' action, variable-length data could be pushed to
a buffer immediately prior to calling ofpact_finish_NOTE(). The
ofpbuf_put() could cause reallocation, in which case the finish call
could access freed memory. Fix the issue by updating the local pointer
before passing it to ofpact_finish_NOTE().

If the memory was reused, it may trigger an assert in ofpact_finish():

assertion ofpact == ofpacts->header failed in ofpact_finish()

With the included test, make check-valgrind reports:

Invalid read of size 1
   at 0x500A9F: ofpact_finish_NOTE (ofp-actions.h:988)
   by 0x4FE5C1: decode_NXAST_RAW_NOTE (ofp-actions.c:4557)
   by 0x4FBC05: ofpact_decode (ofp-actions.inc2:3831)
   by 0x4F7E87: ofpacts_decode (ofp-actions.c:5780)
   by 0x4F709F: ofpacts_pull_openflow_actions__ (ofp-actions.c:5817)
   by 0x4F7856: ofpacts_pull_openflow_instructions (ofp-actions.c:6397)
   by 0x52CFF5: ofputil_decode_flow_mod (ofp-util.c:1727)
   by 0x5227A9: ofp_print_flow_mod (ofp-print.c:789)
   by 0x520823: ofp_to_string__ (ofp-print.c:3235)
   by 0x5204F6: ofp_to_string (ofp-print.c:3468)
   by 0x5925C8: do_recv (vconn.c:644)
   by 0x592372: vconn_recv (vconn.c:598)
   by 0x565CEA: rconn_recv (rconn.c:703)
   by 0x46CB62: ofconn_run (connmgr.c:1367)
   by 0x46C7AD: connmgr_run (connmgr.c:320)
   by 0x4224A9: ofproto_run (ofproto.c:1763)
   by 0x407C0D: bridge_run__ (bridge.c:2888)
   by 0x40767A: bridge_run (bridge.c:2943)
   by 0x4161B7: main (ovs-vswitchd.c:120)

Signed-off-by: Joe Stringer <joe at ovn.org>
Acked-by: Ansis Atteka <ansisatteka at gmail.com>

More information about the git mailing list