From e633f0b4f7dfd7f122fff2d25c1854dc69be0e99 Mon Sep 17 00:00:00 2001 From: Simon Horman Date: Wed, 27 Feb 2013 16:12:16 +0900 Subject: [PATCH] nx-match: Correct writing of value and length in set_field_to_ofast() ofpbuf_put_* may reallocate the underlying buffer of the ofpbuf and thus writing data after a ofpbuf_put_* call must write to memory relative to the pointer returned by the call. Prior to this change the length and trailing value would not be written to the set_field action if ofpbuf_put_* may reallocated the underlying buffer. Also make use of ofpbuf_put_zero() to avoid calling memset() directly. Tested-by: Simon Horman Signed-off-by: Simon Horman Signed-off-by: Ben Pfaff --- lib/nx-match.c | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/lib/nx-match.c b/lib/nx-match.c index 4d7fcd6cd..a0892c2a6 100644 --- a/lib/nx-match.c +++ b/lib/nx-match.c @@ -1201,22 +1201,19 @@ set_field_to_ofast(const struct ofpact_reg_load *load, struct ofpbuf *openflow) { const struct mf_field *mf = load->dst.field; + uint16_t padded_value_len = ROUND_UP(mf->n_bytes, 8); struct ofp12_action_set_field *oasf; - uint16_t padded_value_len; - - oasf = ofputil_put_OFPAT12_SET_FIELD(openflow); - oasf->dst = htonl(mf->oxm_header); + char *value; /* Set field is the only action of variable length (so far), * so handling the variable length portion is open-coded here */ - padded_value_len = ROUND_UP(mf->n_bytes, 8); - ofpbuf_put_uninit(openflow, padded_value_len); + oasf = ofputil_put_OFPAT12_SET_FIELD(openflow); + oasf->dst = htonl(mf->oxm_header); oasf->len = htons(ntohs(oasf->len) + padded_value_len); - memset(oasf + 1, 0, padded_value_len); + value = ofpbuf_put_zeros(openflow, padded_value_len); bitwise_copy(&load->subvalue, sizeof load->subvalue, load->dst.ofs, - oasf + 1, mf->n_bytes, load->dst.ofs, load->dst.n_bits); - return; + value, mf->n_bytes, load->dst.ofs, load->dst.n_bits); } void -- 2.20.1