From: Ben Pfaff <blp@nicira.com>
Date: Wed, 4 Jun 2014 22:42:13 +0000 (-0700)
Subject: flow: Fix use-after-free in flow_compose().
X-Git-Tag: v2.3~68
X-Git-Url: http://git.cascardo.eti.br/?p=cascardo%2Fovs.git;a=commitdiff_plain;h=44d255fb4bd625a12aefe50bc30c1cd8a0eea1b6

flow: Fix use-after-free in flow_compose().

flow_compose_l4() can cause 'b' to be reallocated, thus the network header
pointer needs to be refreshed afterward.

Found by valgrind in the IPv6 case.  I updated the IPv4 case too just in
case, and for consistency.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Andy Zhou <azhou@nicira.com>
---

diff --git a/lib/flow.c b/lib/flow.c
index b1ca8d837..9018b66a2 100644
--- a/lib/flow.c
+++ b/lib/flow.c
@@ -1512,6 +1512,7 @@ flow_compose(struct ofpbuf *b, const struct flow *flow)
 
         l4_len = flow_compose_l4(b, flow);
 
+        ip = ofpbuf_l3(b);
         ip->ip_tot_len = htons(b->l4_ofs - b->l3_ofs + l4_len);
         ip->ip_csum = csum(ip, sizeof *ip);
     } else if (flow->dl_type == htons(ETH_TYPE_IPV6)) {
@@ -1530,6 +1531,7 @@ flow_compose(struct ofpbuf *b, const struct flow *flow)
 
         l4_len = flow_compose_l4(b, flow);
 
+        nh = ofpbuf_l3(b);
         nh->ip6_plen = htons(l4_len);
     } else if (flow->dl_type == htons(ETH_TYPE_ARP) ||
                flow->dl_type == htons(ETH_TYPE_RARP)) {