Confirmed that this patch fixes the bug for me. Jari Sundell
On Thu, Dec 1, 2011 at 4:40 AM, Ben Pfaff <[email protected]> wrote: > Reported-by: Jari Sundell <[email protected]> > --- > lib/learn.c | 11 +++++++++++ > 1 files changed, 11 insertions(+), 0 deletions(-) > > diff --git a/lib/learn.c b/lib/learn.c > index 19a0e00..9d97cb3 100644 > --- a/lib/learn.c > +++ b/lib/learn.c > @@ -621,6 +621,17 @@ learn_format(const struct nx_action_learn *learn, struct > ds *s) > union mf_value value; > uint8_t *bytes = (uint8_t *) &value; > > + if (src_value_bytes > dst_field->n_bytes) { > + /* The destination field is an odd number of bytes, which > + * got rounded up to a multiple of 2 to be put into the > + * learning action. Skip over the leading byte, which > + * should be zero anyway. Otherwise the memcpy() below > + * will overrun the start of 'value'. */ > + int diff = src_value_bytes - dst_field->n_bytes; > + src_value += diff; > + src_value_bytes -= diff; > + } > + > memset(&value, 0, sizeof value); > memcpy(&bytes[dst_field->n_bytes - src_value_bytes], > src_value, src_value_bytes); > -- > 1.7.2.5 > > _______________________________________________ dev mailing list [email protected] http://openvswitch.org/mailman/listinfo/dev
