Found by libFuzzer.
Reported-by: Bhargava Shastry <[email protected]>
Signed-off-by: Ben Pfaff <[email protected]>
---
lib/ofp-util.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lib/ofp-util.c b/lib/ofp-util.c
index e915cb2ab2d7..8c294727bfa3 100644
--- a/lib/ofp-util.c
+++ b/lib/ofp-util.c
@@ -9174,6 +9174,7 @@ ofputil_pull_ofp11_buckets(struct ofpbuf *msg, size_t
buckets_length,
if (!ob) {
VLOG_WARN_RL(&bad_ofmsg_rl, "buckets end with %"PRIuSIZE" leftover
bytes",
buckets_length);
+ ofputil_bucket_list_destroy(buckets);
return OFPERR_OFPGMFC_BAD_BUCKET;
}
@@ -9181,11 +9182,13 @@ ofputil_pull_ofp11_buckets(struct ofpbuf *msg, size_t
buckets_length,
if (ob_len < sizeof *ob) {
VLOG_WARN_RL(&bad_ofmsg_rl, "OpenFlow message bucket length "
"%"PRIuSIZE" is not valid", ob_len);
+ ofputil_bucket_list_destroy(buckets);
return OFPERR_OFPGMFC_BAD_BUCKET;
} else if (ob_len > buckets_length) {
VLOG_WARN_RL(&bad_ofmsg_rl, "OpenFlow message bucket length "
"%"PRIuSIZE" exceeds remaining buckets data size
%"PRIuSIZE,
ob_len, buckets_length);
+ ofputil_bucket_list_destroy(buckets);
return OFPERR_OFPGMFC_BAD_BUCKET;
}
buckets_length -= ob_len;
--
2.10.2
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
