[ovs-git] [openvswitch/ovs] 484523: ofp-util: Fix use-after-free in group append.

GitHub noreply at github.com
Mon Mar 7 19:16:34 UTC 2016


  Branch: refs/heads/branch-2.5
  Home:   https://github.com/openvswitch/ovs
  Commit: 48452387c904ad66cdd9b73cc04c52cc1d248cc3
      https://github.com/openvswitch/ovs/commit/48452387c904ad66cdd9b73cc04c52cc1d248cc3
  Author: William Tu <u9012063 at gmail.com>
  Date:   2016-03-07 (Mon, 07 Mar 2016)

  Changed paths:
    M lib/ofp-util.c

  Log Message:
  -----------
  ofp-util: Fix use-after-free in group append.

Upstream commit ef5774e30e3232e6d25e6e0d03cdf1fed6577505.

It is possible for ofpbuf_put() to realloc a newly allocated address,
casuing the previously referenced pointer, ogds, points to old/free'd
address. The issue is generated by forcing ofpbuf_put() to use newly
allocated buffer and valgrind reports invalid write. The similiar syndrome
is reported at: https://patchwork.ozlabs.org/patch/591330/

Invalid write of size 2
    ofputil_append_ofp15_group_desc_reply (ofp-util.c:8367)
    ofputil_append_group_desc_reply (ofp-util.c:8392)
    append_group_desc (ofproto.c:6262)
    handle_group_request (ofproto.c:6230)
    handle_group_desc_stats_request (ofproto.c:6269)
    handle_openflow__ (ofproto.c:7337)
    handle_openflow (ofproto.c:7403)
    ofconn_run (connmgr.c:1379)
    connmgr_run (connmgr.c:323)
    ofproto_run (ofproto.c:1762)
    bridge_run__ (bridge.c:2885)
    bridge_run (bridge.c:2940)
    main (ovs-vswitchd.c:120)

Address 0x7cb1020 is 144 bytes inside a block of size 1,144 free'd
    free (vg_replace_malloc.c:530)
    ofpbuf_resize__ (ofpbuf.c:246)
    ofpbuf_put (ofpbuf.c:386)
    nx_put_header__ (nx-match.c:1241)
    nxm_put__ (nx-match.c:697)
    oxm_put_field_array (nx-match.c:1226)
    ofputil_put_group_prop_ntr_selection_method (ofp-util.c:8305)
    ofputil_append_ofp15_group_desc_reply (ofp-util.c:8364)
    ofputil_append_group_desc_reply (ofp-util.c:8392)
    append_group_desc (ofproto.c:6262)

Signed-off-by: William Tu <u9012063 at gmail.com>
Signed-off-by: Joe Stringer <joe at ovn.org>




More information about the git mailing list