This fixes a seemingly severe memory leak in ipfix_send_template_msgs(). This function was setting up a buffer with a stub, but only the first 4 or 8 bytes of the stub were actually used because the "sizeof" call used to size it was actually getting the size of a pointer. It never freed the buffer, leaking it.
Additionally, after this code sent a template message, it started over from the same undersized stub, leaking another block of memory. This commit fixes both problems. Found by Coverity. CC: Romain Lenglet <[email protected]> Reported-at: https://scan3.coverity.com/reports.htm#v16889/p10449/fileInstanceId=14762995&defectInstanceId=4304799&mergedDefectId=180398 Signed-off-by: Ben Pfaff <[email protected]> --- ofproto/ofproto-dpif-ipfix.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/ofproto/ofproto-dpif-ipfix.c b/ofproto/ofproto-dpif-ipfix.c index 23fc51b7b053..f8c7ad906acc 100644 --- a/ofproto/ofproto-dpif-ipfix.c +++ b/ofproto/ofproto-dpif-ipfix.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012, 2013, 2014, 2015, 2016 Nicira, Inc. + * Copyright (c) 2012, 2013, 2014, 2015, 2016, 2017 Nicira, Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -1281,13 +1281,13 @@ ipfix_define_template_fields(enum ipfix_proto_l2 l2, enum ipfix_proto_l3 l3, } static void -ipfix_init_template_msg(void *msg_stub, uint32_t export_time_sec, +ipfix_init_template_msg(uint32_t export_time_sec, uint32_t seq_number, uint32_t obs_domain_id, struct dp_packet *msg, size_t *set_hdr_offset) { struct ipfix_set_header *set_hdr; - dp_packet_use_stub(msg, msg_stub, sizeof msg_stub); + dp_packet_clear(msg); ipfix_init_header(export_time_sec, seq_number, obs_domain_id, msg); *set_hdr_offset = dp_packet_size(msg); @@ -1322,6 +1322,8 @@ ipfix_send_template_msgs(struct dpif_ipfix_exporter *exporter, { uint64_t msg_stub[DIV_ROUND_UP(MAX_MESSAGE_LEN, 8)]; struct dp_packet msg; + dp_packet_use_stub(&msg, msg_stub, sizeof msg_stub); + size_t set_hdr_offset, tmpl_hdr_offset, error_pkts; struct ipfix_template_record_header *tmpl_hdr; uint16_t field_count; @@ -1332,7 +1334,7 @@ ipfix_send_template_msgs(struct dpif_ipfix_exporter *exporter, enum ipfix_proto_l4 l4; enum ipfix_proto_tunnel tunnel; - ipfix_init_template_msg(msg_stub, export_time_sec, exporter->seq_number, + ipfix_init_template_msg(export_time_sec, exporter->seq_number, obs_domain_id, &msg, &set_hdr_offset); /* Define one template for each possible combination of * protocols. */ @@ -1357,7 +1359,7 @@ ipfix_send_template_msgs(struct dpif_ipfix_exporter *exporter, tx_packets += collectors_count(exporter->collectors) - error_pkts; /* Reinitialize the template msg. */ - ipfix_init_template_msg(msg_stub, export_time_sec, + ipfix_init_template_msg(export_time_sec, exporter->seq_number, obs_domain_id, &msg, &set_hdr_offset); @@ -1389,6 +1391,7 @@ ipfix_send_template_msgs(struct dpif_ipfix_exporter *exporter, /* XXX: Add Options Template Sets, at least to define a Flow Keys * Option Template. */ + dp_packet_uninit(&msg); } static inline uint32_t -- 2.10.2 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
