mir/ovs
2
0
Fork 0
mirror of https://github.com/openvswitch/ovs synced 2025-09-01 06:45:17 +00:00
Code Issues Releases Wiki Activity

dpctl: Fix jump through wild pointer in "dpctl/help".

Browse Source 
dpctl_unixctl_handler() didn't fully initialize the dpctl_params structure
it passed to the handler, which meant that dpctl_help() could see a nonnull
(indeterminate) 'usage' pointer and jump through it, causes a crash.
This commit fixes the crash by fully initializing the structure.

The dpctl/help command wasn't going to do anything useful anyway, so this
commit also stops registering it.

Reported-by: Murali R <muralirdev@gmail.com>
Reported-at: http://openvswitch.org/pipermail/discuss/2015-October/019135.html
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Daniele Di Proietto <diproiettod@vmware.com>
This commit is contained in:
Ben Pfaff
2015-10-17 14:24:01 -07:00
parent 3ee7cc6c37
commit 337c452854
2 changed files with 13 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
AUTHORS
View File

@@ -329,6 +329,7 @@ Mike Kruze mkruze@nicira.com
Min Chen ustcer.tonychan@gmail.com Min Chen ustcer.tonychan@gmail.com
Mikael Doverhag mdoverhag@nicira.com Mikael Doverhag mdoverhag@nicira.com
Mrinmoy Das mrdas@ixiacom.com Mrinmoy Das mrdas@ixiacom.com
Murali R muralirdev@gmail.com
Nagi Reddy Jonnala njonnala@Brocade.com Nagi Reddy Jonnala njonnala@Brocade.com
Niels van Adrichem N.L.M.vanAdrichem@tudelft.nl Niels van Adrichem N.L.M.vanAdrichem@tudelft.nl
Niklas Andersson nandersson@nicira.com Niklas Andersson nandersson@nicira.com

27
lib/dpctl.c
View File

@@ -1583,15 +1583,13 @@ dpctl_unixctl_handler(struct unixctl_conn *conn, int argc, const char *argv[],
void *aux) void *aux)
{ {
struct ds ds = DS_EMPTY_INITIALIZER; struct ds ds = DS_EMPTY_INITIALIZER;
struct dpctl_params dpctl_p;
bool error = false; bool error = false;
dpctl_command_handler *handler = (dpctl_command_handler *) aux; struct dpctl_params dpctl_p = {
.is_appctl = true,
dpctl_p.print_statistics = false; .output = dpctl_unixctl_print,
dpctl_p.zero_statistics = false; .aux = &ds,
dpctl_p.may_create = false; };
dpctl_p.verbosity = 0;
/* Parse options (like getopt). Unfortunately it does /* Parse options (like getopt). Unfortunately it does
* not seem a good idea to call getopt_long() here, since it uses global * not seem a good idea to call getopt_long() here, since it uses global
@@ -1644,10 +1642,7 @@ dpctl_unixctl_handler(struct unixctl_conn *conn, int argc, const char *argv[],
} }
if (!error) { if (!error) {
dpctl_p.is_appctl = true; dpctl_command_handler *handler = (dpctl_command_handler *) aux;
dpctl_p.output = dpctl_unixctl_print;
dpctl_p.aux = &ds;
error = handler(argc, argv, &dpctl_p) != 0; error = handler(argc, argv, &dpctl_p) != 0;
} }
@@ -1666,9 +1661,11 @@ dpctl_unixctl_register(void)
const struct dpctl_command *p; const struct dpctl_command *p;
for (p = all_commands; p->name != NULL; p++) { for (p = all_commands; p->name != NULL; p++) {
char *cmd_name = xasprintf("dpctl/%s", p->name); if (strcmp(p->name, "help")) {
unixctl_command_register(cmd_name, "", p->min_args, p->max_args, char *cmd_name = xasprintf("dpctl/%s", p->name);
dpctl_unixctl_handler, p->handler); unixctl_command_register(cmd_name, "", p->min_args, p->max_args,
free(cmd_name); dpctl_unixctl_handler, p->handler);
free(cmd_name);
}
} }
} }