Address pointed by header_ptr might be free'd due to realloc happened at ofpbuf_put_uninit() and ofpbuf_put_hex(). Reported by valgrind 379: check TCP flags expression in OXM and NXM.
Invalid write of size 4 nx_match_from_string_raw (nx-match.c:1510) nx_match_from_string (nx-match.c:1538) ofctl_parse_nxm__ (ovs-ofctl.c:3325) ovs_cmdl_run_command (command-line.c:121) main (ovs-ofctl.c:137) Address 0x7a2cc40 is 0 bytes inside a block of size 64 free'd free (vg_replace_malloc.c:530) ofpbuf_resize__ (ofpbuf.c:246) ofpbuf_put (ofpbuf.c:386) ofpbuf_put_hex (ofpbuf.c:414) nx_match_from_string_raw (nx-match.c:1488) nx_match_from_string (nx-match.c:1538) ofctl_parse_nxm__ (ovs-ofctl.c:3325) Signed-off-by: William Tu <u9012...@gmail.com> --- lib/nx-match.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lib/nx-match.c b/lib/nx-match.c index 4999b1a..2615f8c 100644 --- a/lib/nx-match.c +++ b/lib/nx-match.c @@ -1470,6 +1470,7 @@ nx_match_from_string_raw(const char *s, struct ofpbuf *b) ovs_be64 *header_ptr; int name_len; size_t n; + ptrdiff_t header_ptr_offset; name = s; name_len = strcspn(s, "("); @@ -1485,6 +1486,7 @@ nx_match_from_string_raw(const char *s, struct ofpbuf *b) s += name_len + 1; header_ptr = ofpbuf_put_uninit(b, nxm_header_len(header)); + header_ptr_offset = (char *)header_ptr - (char *)b->data; s = ofpbuf_put_hex(b, s, &n); if (n != nxm_field_bytes(header)) { const struct mf_field *field = mf_from_oxm_header(header); @@ -1507,6 +1509,10 @@ nx_match_from_string_raw(const char *s, struct ofpbuf *b) } } nw_header = htonll(header); + + /* header_ptr might be free'd due to + * ofpbuf_put_uninit() and ofpbuf_put_hex(). */ + header_ptr = (ovs_be64 *)((char *)b->data + header_ptr_offset); memcpy(header_ptr, &nw_header, nxm_header_len(header)); if (nxm_hasmask(header)) { -- 2.5.0 _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev