mask realloc copies elements from old array to new array. When shrinking array it can go beyond allocated memory.
Signed-off-by: Pravin B Shelar <[email protected]> --- datapath/flow_table.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/datapath/flow_table.c b/datapath/flow_table.c index 765930e..21f67bf 100644 --- a/datapath/flow_table.c +++ b/datapath/flow_table.c @@ -247,9 +247,10 @@ static int tbl_mask_array_realloc(struct flow_table *tbl, int size) if (old) { int i; - for (i = 0; i < old->max; i++) + for (i = 0; i < min(old->max, new->max); i++) new->masks[i] = old->masks[i]; + BUG_ON(old->count > new->max); new->count = old->count; } rcu_assign_pointer(tbl->mask_array, new); -- 1.7.1 _______________________________________________ dev mailing list [email protected] http://openvswitch.org/mailman/listinfo/dev
