ofpbuf: Fix use-after-free in bundle parse.

Address pointed by bundle could be obsolete/free'd when
realloc, called from ofpbuf_put_zero(), returns new address.
Reported by Valgrind 367: ovs-ofctl parse-flows (NXM)

Invalid write of size 4
    bundle_parse__ (bundle.c:200)
    bundle_parse_load (bundle.c:272)
    parse_bundle_load (ofp-actions.c:1324)
    ofpacts_parse__ (ofp-actions.c:7484)
    ofpacts_parse (ofp-actions.c:7540)
    ofpacts_parse_copy (ofp-actions.c:7558)
    parse_ofp_str__ (ofp-parse.c:491)
    parse_ofp_str (ofp-parse.c:544)
    parse_ofp_flow_mod_str (ofp-parse.c:870)

Address 0x7a4e96c is 12 bytes inside a block of size 64 free'd
    free (vg_replace_malloc.c:530)
    ofpbuf_resize__ (ofpbuf.c:246) (purposely add to force using new buf)
    ofpbuf_put_zeros (ofpbuf.c:375)
    bundle_parse__ (bundle.c:181)
    bundle_parse_load (bundle.c:272)
    parse_bundle_load (ofp-actions.c:1324)
    ofpacts_parse__ (ofp-actions.c:7484)
    ofpacts_parse (ofp-actions.c:7540)
    ofpacts_parse_copy (ofp-actions.c:7558)

Signed-off-by: William Tu <u9012063@gmail.com>
Signed-off-by: Joe Stringer <joe@ovn.org>

diff --git a/lib/bundle.c b/lib/bundle.c
index 871a724..1451e92 100644 (file)
--- a/lib/bundle.c
+++ b/lib/bundle.c
@@ -180,6 +180,7 @@ bundle_parse__(const char *s, char **save_ptr,
     }
     ofpact_finish(ofpacts, &bundle->ofpact);
 
+    bundle = ofpacts->header;
     bundle->basis = atoi(basis);
 
     if (!strcasecmp(fields, "eth_src")) {