Good catch, this was a tricky one. Thanks. Ethan
On Thu, Aug 16, 2012 at 1:37 PM, Ben Pfaff <[email protected]> wrote: > If ofpacts_len is 0 then ofpacts->type is a bad reference. > > (An early draft of ofpacts used an OFPACT_END sentinel so that there was > always data there in this function, but in review the sentinel got deleted > and I did not notice that this function needed an update.) > > Found by valgrind. > > Bug #12847. > Signed-off-by: Ben Pfaff <[email protected]> > --- > ofproto/ofproto-dpif.c | 3 ++- > 1 files changed, 2 insertions(+), 1 deletions(-) > > diff --git a/ofproto/ofproto-dpif.c b/ofproto/ofproto-dpif.c > index a7e85de..444df14 100644 > --- a/ofproto/ofproto-dpif.c > +++ b/ofproto/ofproto-dpif.c > @@ -3794,7 +3794,8 @@ facet_is_controller_flow(struct facet *facet) > const struct ofpact *ofpacts = rule->ofpacts; > size_t ofpacts_len = rule->ofpacts_len; > > - if (ofpacts->type == OFPACT_CONTROLLER && > + if (ofpacts_len > 0 && > + ofpacts->type == OFPACT_CONTROLLER && > ofpact_next(ofpacts) >= ofpact_end(ofpacts, ofpacts_len)) { > return true; > } > -- > 1.7.2.5 > > _______________________________________________ > dev mailing list > [email protected] > http://openvswitch.org/mailman/listinfo/dev _______________________________________________ dev mailing list [email protected] http://openvswitch.org/mailman/listinfo/dev
