projects / cascardo / ovs.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: f3ea2ad) | patch
nx-match: Fix use-after-free parsing matches.
authorJoe Stringer <joe@ovn.org>
Mon, 7 Mar 2016 19:31:02 +0000 (11:31 -0800)
committerJoe Stringer <joe@ovn.org>
Tue, 29 Mar 2016 21:11:16 +0000 (10:11 +1300)
commite659c96bca2c9dbb800ce7882610fd39172c1cef
treee09d7e92def9efe9470a4c10887eea114d24dd19tree | snapshot
parentf3ea2ad27fd076735fdb78286980749bb12fe1cecommit | diff
nx-match: Fix use-after-free parsing matches.

Address pointed by header_ptr might be free'd due to realloc
happened in ofpbuf_put_hex(). Reported by valgrind in the test
379: check TCP flags expression in OXM and NXM.

Invalid write of size 4
    nx_match_from_string_raw (nx-match.c:1510)
    nx_match_from_string (nx-match.c:1538)
    ofctl_parse_nxm__ (ovs-ofctl.c:3325)
    ovs_cmdl_run_command (command-line.c:121)
    main (ovs-ofctl.c:137)

Address 0x7a2cc40 is 0 bytes inside a block of size 64 free'd
    free (vg_replace_malloc.c:530)
    ofpbuf_resize__ (ofpbuf.c:246)
    ofpbuf_put (ofpbuf.c:386)
    ofpbuf_put_hex (ofpbuf.c:414)
    nx_match_from_string_raw (nx-match.c:1488)
    nx_match_from_string (nx-match.c:1538)
    ofctl_parse_nxm__ (ovs-ofctl.c:3325)

Reported-by: William Tu <u9012063@gmail.com>
Signed-off-by: Joe Stringer <joe@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
lib/nx-match.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.