mir/ovs
2
0
Fork 0
mirror of https://github.com/openvswitch/ovs synced 2025-08-30 22:05:19 +00:00
Code Issues Releases Wiki Activity

flow: Fix use-after-free in flow_compose().

Browse Source 
flow_compose_l4() can cause 'b' to be reallocated, thus the network header
pointer needs to be refreshed afterward.

Found by valgrind in the IPv6 case.  I updated the IPv4 case too just in
case, and for consistency.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Andy Zhou <azhou@nicira.com>
This commit is contained in:
Ben Pfaff
2014-06-04 15:42:13 -07:00
parent 98de6bebb8
commit 1c98d0ad8c
1 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lib/flow.c
View File

@@ -1512,6 +1512,7 @@ flow_compose(struct ofpbuf *b, const struct flow *flow)
l4_len = flow_compose_l4(b, flow);
ip = ofpbuf_l3(b);
ip->ip_tot_len = htons(b->l4_ofs - b->l3_ofs + l4_len);
ip->ip_csum = csum(ip, sizeof *ip);
} else if (flow->dl_type == htons(ETH_TYPE_IPV6)) {
@@ -1530,6 +1531,7 @@ flow_compose(struct ofpbuf *b, const struct flow *flow)
l4_len = flow_compose_l4(b, flow);
nh = ofpbuf_l3(b);
nh->ip6_plen = htons(l4_len);
} else if (flow->dl_type == htons(ETH_TYPE_ARP) ||
flow->dl_type == htons(ETH_TYPE_RARP)) {