Re: [ovs-dev] [PATCH 2/4] ofp-actions: Fix use-after-free in bundle action.

William Tu Sat, 05 Mar 2016 09:15:06 -0800

Hi Joe,

On Thu, Mar 3, 2016 at 12:22 AM, Joe Stringer <j...@ovn.org> wrote:


> If the actions list in an incoming flow mod is long enough, and there is
> a bundle() action with 3 or more slaves, then it is possible for a
> index ae961f6cc5bb..fe1424f137a1 100644
> --- a/lib/ofp-actions.c
> +++ b/lib/ofp-actions.c
> @@ -1253,9 +1253,9 @@ decode_bundle(bool load, const struct
> nx_action_bundle *nab,
>      for (i = 0; i < bundle->n_slaves; i++) {
>          uint16_t ofp_port = ntohs(((ovs_be16 *)(nab + 1))[i]);
>          ofpbuf_put(ofpacts, &ofp_port, sizeof ofp_port);
> +        bundle = ofpacts->header;
>      }
>
> -    bundle = ofpacts->header;
>      ofpact_finish(ofpacts, &bundle->ofpact);
>
>
I think we need to add another
      bundle = ofpacts->header;
right after
      ofpact_finish(ofpacts, &bundle->ofpact);

Since ofpact_finish could potentially call ofpbuf_put_zero and realloc
buffer to new address.

Regards,
William





>      if (!error) {
> --
> 2.1.4
>
> _______________________________________________
> dev mailing list
> dev@openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev
>
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev

Re: [ovs-dev] [PATCH 2/4] ofp-actions: Fix use-after-free in bundle action.

Reply via email to