datapath: Fix buffer overrun in mask array realloc.

mask realloc copies elements from old array to new array. When
shrinking array it can go beyond allocated memory.

Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
Acked-by: Andy Zhou <azhou@nicira.com>

diff --git a/datapath/flow_table.c b/datapath/flow_table.c
index 765930e..21f67bf 100644 (file)
--- a/datapath/flow_table.c
+++ b/datapath/flow_table.c
@@ -247,9 +247,10 @@ static int tbl_mask_array_realloc(struct flow_table *tbl, int size)
        if (old) {
                int i;
 
-               for (i = 0; i < old->max; i++)
+               for (i = 0; i < min(old->max, new->max); i++)
                        new->masks[i] = old->masks[i];
 
+               BUG_ON(old->count > new->max);
                new->count = old->count;
        }
        rcu_assign_pointer(tbl->mask_array, new);