Address pointed by header_ptr might be free'd due to realloc
happened in ofpbuf_put_hex(). Reported by valgrind in the test
379: check TCP flags expression in OXM and NXM.
Invalid write of size 4
nx_match_from_string_raw (nx-match.c:1510)
nx_match_from_string (nx-match.c:1538)
ofctl_parse_nxm__ (ovs-ofctl.c:3325)
ovs_cmdl_run_command (command-line.c:121)
main (ovs-ofctl.c:137)
Address 0x7a2cc40 is 0 bytes inside a block of size 64 free'd
free (vg_replace_malloc.c:530)
ofpbuf_resize__ (ofpbuf.c:246)
ofpbuf_put (ofpbuf.c:386)
ofpbuf_put_hex (ofpbuf.c:414)
nx_match_from_string_raw (nx-match.c:1488)
nx_match_from_string (nx-match.c:1538)
ofctl_parse_nxm__ (ovs-ofctl.c:3325)
Reported-by: William Tu <u9012...@gmail.com>
Signed-off-by: Joe Stringer <j...@ovn.org>
---
lib/nx-match.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/lib/nx-match.c b/lib/nx-match.c
index 4999b1ac95d7..6fcc53ad07d1 100644
--- a/lib/nx-match.c
+++ b/lib/nx-match.c
@@ -1467,7 +1467,6 @@ nx_match_from_string_raw(const char *s, struct ofpbuf *b)
const char *name;
uint64_t header;
ovs_be64 nw_header;
- ovs_be64 *header_ptr;
int name_len;
size_t n;
@@ -1484,7 +1483,7 @@ nx_match_from_string_raw(const char *s, struct ofpbuf *b)
s += name_len + 1;
- header_ptr = ofpbuf_put_uninit(b, nxm_header_len(header));
+ b->header = ofpbuf_put_uninit(b, nxm_header_len(header));
s = ofpbuf_put_hex(b, s, &n);
if (n != nxm_field_bytes(header)) {
const struct mf_field *field = mf_from_oxm_header(header);
@@ -1507,7 +1506,7 @@ nx_match_from_string_raw(const char *s, struct ofpbuf *b)
}
}
nw_header = htonll(header);
- memcpy(header_ptr, &nw_header, nxm_header_len(header));
+ memcpy(b->header, &nw_header, nxm_header_len(header));
if (nxm_hasmask(header)) {
s += strspn(s, " ");
--
2.1.4
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
