[ovs-git] [openvswitch/ovs] e659c9: nx-match: Fix use-after-free parsing matches.

GitHub noreply at github.com
Tue Mar 29 21:11:46 UTC 2016


  Branch: refs/heads/master
  Home:   https://github.com/openvswitch/ovs
  Commit: e659c96bca2c9dbb800ce7882610fd39172c1cef
      https://github.com/openvswitch/ovs/commit/e659c96bca2c9dbb800ce7882610fd39172c1cef
  Author: Joe Stringer <joe at ovn.org>
  Date:   2016-03-30 (Wed, 30 Mar 2016)

  Changed paths:
    M lib/nx-match.c

  Log Message:
  -----------
  nx-match: Fix use-after-free parsing matches.

Address pointed by header_ptr might be free'd due to realloc
happened in ofpbuf_put_hex(). Reported by valgrind in the test
379: check TCP flags expression in OXM and NXM.

Invalid write of size 4
    nx_match_from_string_raw (nx-match.c:1510)
    nx_match_from_string (nx-match.c:1538)
    ofctl_parse_nxm__ (ovs-ofctl.c:3325)
    ovs_cmdl_run_command (command-line.c:121)
    main (ovs-ofctl.c:137)

Address 0x7a2cc40 is 0 bytes inside a block of size 64 free'd
    free (vg_replace_malloc.c:530)
    ofpbuf_resize__ (ofpbuf.c:246)
    ofpbuf_put (ofpbuf.c:386)
    ofpbuf_put_hex (ofpbuf.c:414)
    nx_match_from_string_raw (nx-match.c:1488)
    nx_match_from_string (nx-match.c:1538)
    ofctl_parse_nxm__ (ovs-ofctl.c:3325)

Reported-by: William Tu <u9012063 at gmail.com>
Signed-off-by: Joe Stringer <joe at ovn.org>
Acked-by: Ben Pfaff <blp at ovn.org>


  Commit: ebe12cd3e1ea2cb7866438cd171464bc5f9fcc8f
      https://github.com/openvswitch/ovs/commit/ebe12cd3e1ea2cb7866438cd171464bc5f9fcc8f
  Author: Joe Stringer <joe at ovn.org>
  Date:   2016-03-30 (Wed, 30 Mar 2016)

  Changed paths:
    M lib/bundle.c
    M lib/ofp-actions.c
    M lib/ofp-actions.h
    M ofproto/ofproto-dpif.c

  Log Message:
  -----------
  ofp-actions: Fix use-after-free with ofpact_finish().

ofpact_finish() may now reallocate the buffer it is passed, but not all
callers updated their local pointers to the current action in the
buffer. This could potentially lead to several use-after-free bugs.

Update ofpact_finish() to return the new pointer to the ofpact which is
provided, and update the calling points to ensure that their local
pointers are pointing into the correct (potentially reallocated) buffer.

Fixes: 2bd318dec242 ("ofp-actions: Make composing actions harder to screw up.")
Reported-by: William Tu <u9012063 at gmail.com>
Signed-off-by: Joe Stringer <joe at ovn.org>
Acked-by: Ben Pfaff <blp at ovn.org>
Acked-by: Ryan Moats <rmoats at us.ibm.com>


Compare: https://github.com/openvswitch/ovs/compare/f3ea2ad27fd0...ebe12cd3e1ea


More information about the git mailing list