Good catch! Acked-by: Andy Zhou <[email protected]>
On Fri, Jul 25, 2014 at 4:22 PM, Pravin B Shelar <[email protected]> wrote: > mask realloc copies elements from old array to new array. When > shrinking array it can go beyond allocated memory. > > Signed-off-by: Pravin B Shelar <[email protected]> > --- > datapath/flow_table.c | 3 ++- > 1 files changed, 2 insertions(+), 1 deletions(-) > > diff --git a/datapath/flow_table.c b/datapath/flow_table.c > index 765930e..21f67bf 100644 > --- a/datapath/flow_table.c > +++ b/datapath/flow_table.c > @@ -247,9 +247,10 @@ static int tbl_mask_array_realloc(struct flow_table > *tbl, int size) > if (old) { > int i; > > - for (i = 0; i < old->max; i++) > + for (i = 0; i < min(old->max, new->max); i++) > new->masks[i] = old->masks[i]; > > + BUG_ON(old->count > new->max); > new->count = old->count; > } > rcu_assign_pointer(tbl->mask_array, new); > -- > 1.7.1 > > _______________________________________________ > dev mailing list > [email protected] > http://openvswitch.org/mailman/listinfo/dev _______________________________________________ dev mailing list [email protected] http://openvswitch.org/mailman/listinfo/dev
