From 4e5135424a72516312dfb2cd358d370e5c505ad9 Mon Sep 17 00:00:00 2001
From: Pravin B Shelar <pshelar@nicira.com>
Date: Fri, 25 Jul 2014 16:22:46 -0700
Subject: [PATCH] datapath: Fix buffer overrun in mask array realloc.

mask realloc copies elements from old array to new array. When
shrinking array it can go beyond allocated memory.

Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
Acked-by: Andy Zhou <azhou@nicira.com>
---
 datapath/flow_table.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/datapath/flow_table.c b/datapath/flow_table.c
index 765930e01..21f67bffb 100644
--- a/datapath/flow_table.c
+++ b/datapath/flow_table.c
@@ -247,9 +247,10 @@ static int tbl_mask_array_realloc(struct flow_table *tbl, int size)
 	if (old) {
 		int i;
 
-		for (i = 0; i < old->max; i++)
+		for (i = 0; i < min(old->max, new->max); i++)
 			new->masks[i] = old->masks[i];
 
+		BUG_ON(old->count > new->max);
 		new->count = old->count;
 	}
 	rcu_assign_pointer(tbl->mask_array, new);
-- 
2.20.1