If ofpacts_len is 0 then ofpacts->type is a bad reference. (An early draft of ofpacts used an OFPACT_END sentinel so that there was always data there in this function, but in review the sentinel got deleted and I did not notice that this function needed an update.)
Found by valgrind. Bug #12847. Signed-off-by: Ben Pfaff <[email protected]> --- ofproto/ofproto-dpif.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/ofproto/ofproto-dpif.c b/ofproto/ofproto-dpif.c index a7e85de..444df14 100644 --- a/ofproto/ofproto-dpif.c +++ b/ofproto/ofproto-dpif.c @@ -3794,7 +3794,8 @@ facet_is_controller_flow(struct facet *facet) const struct ofpact *ofpacts = rule->ofpacts; size_t ofpacts_len = rule->ofpacts_len; - if (ofpacts->type == OFPACT_CONTROLLER && + if (ofpacts_len > 0 && + ofpacts->type == OFPACT_CONTROLLER && ofpact_next(ofpacts) >= ofpact_end(ofpacts, ofpacts_len)) { return true; } -- 1.7.2.5 _______________________________________________ dev mailing list [email protected] http://openvswitch.org/mailman/listinfo/dev
