Looks good.
Thanks,
Pravin.
On Thu, Jul 12, 2012 at 11:27 AM, Ben Pfaff <b...@nicira.com> wrote:
> Fixes a wild pointer write when nx_put_match() expands the ofpbuf.
>
> The change to the OFPST_FLOW case isn't strictly a bug fix, it just makes
> the code for that case more closely resemble the NXST_FLOW case.
>
> Bug #12403.
> Bug #12460.
> Bug #12461.
> Reported-by: Timothy Chen <tc...@nicira.com>
> Reported-by: Natasha Gude <nata...@nicira.com>
> Reported-by: James Schmidt <jschm...@nicira.com>
> Signed-off-by: Ben Pfaff <b...@nicira.com>
> ---
> lib/ofp-util.c | 24 +++++++++++++-----------
> 1 files changed, 13 insertions(+), 11 deletions(-)
>
> diff --git a/lib/ofp-util.c b/lib/ofp-util.c
> index 99f92a8..816a50a 100644
> --- a/lib/ofp-util.c
> +++ b/lib/ofp-util.c
> @@ -2145,7 +2145,11 @@ ofputil_append_flow_stats_reply(const struct
> ofputil_flow_stats *fs,
> if (osm->type == htons(OFPST_FLOW)) {
> struct ofp_flow_stats *ofs;
>
> - ofs = ofpbuf_put_uninit(reply, sizeof *ofs);
> + ofpbuf_put_uninit(reply, sizeof *ofs);
> + ofpacts_put_openflow10(fs->ofpacts, fs->ofpacts_len, reply);
> +
> + ofs = ofpbuf_at_assert(reply, start_ofs, sizeof *ofs);
> + ofs->length = htons(reply->size - start_ofs);
> ofs->table_id = fs->table_id;
> ofs->pad = 0;
> ofputil_cls_rule_to_ofp10_match(&fs->rule, &ofs->match);
> @@ -2160,14 +2164,16 @@ ofputil_append_flow_stats_reply(const struct
> ofputil_flow_stats *fs,
> htonll(unknown_to_zero(fs->packet_count)));
> put_32aligned_be64(&ofs->byte_count,
> htonll(unknown_to_zero(fs->byte_count)));
> - ofpacts_put_openflow10(fs->ofpacts, fs->ofpacts_len, reply);
> -
> - ofs = ofpbuf_at_assert(reply, start_ofs, sizeof *ofs);
> - ofs->length = htons(reply->size - start_ofs);
> } else if (osm->type == htons(OFPST_VENDOR)) {
> struct nx_flow_stats *nfs;
> + int match_len;
>
> - nfs = ofpbuf_put_uninit(reply, sizeof *nfs);
> + ofpbuf_put_uninit(reply, sizeof *nfs);
> + match_len = nx_put_match(reply, false, &fs->rule, 0, 0);
> + ofpacts_put_openflow10(fs->ofpacts, fs->ofpacts_len, reply);
> +
> + nfs = ofpbuf_at_assert(reply, start_ofs, sizeof *nfs);
> + nfs->length = htons(reply->size - start_ofs);
> nfs->table_id = fs->table_id;
> nfs->pad = 0;
> nfs->duration_sec = htonl(fs->duration_sec);
> @@ -2181,14 +2187,10 @@ ofputil_append_flow_stats_reply(const struct
> ofputil_flow_stats *fs,
> nfs->hard_age = htons(fs->hard_age < 0 ? 0
> : fs->hard_age < UINT16_MAX ? fs->hard_age + 1
> : UINT16_MAX);
> - nfs->match_len = htons(nx_put_match(reply, false, &fs->rule, 0, 0));
> + nfs->match_len = htons(match_len);
> nfs->cookie = fs->cookie;
> nfs->packet_count = htonll(fs->packet_count);
> nfs->byte_count = htonll(fs->byte_count);
> - ofpacts_put_openflow10(fs->ofpacts, fs->ofpacts_len, reply);
> -
> - nfs = ofpbuf_at_assert(reply, start_ofs, sizeof *nfs);
> - nfs->length = htons(reply->size - start_ofs);
> } else {
> NOT_REACHED();
> }
> --
> 1.7.2.5
>
> _______________________________________________
> dev mailing list
> dev@openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
