These lines of code are intended to copy the 'next' and 'next_max' members
of tbl[type] into local variables 'tbl' and 'max':
tbl = tbl[type].next;
max = tbl[type].next_max;
They didn't do it properly because the first line changes 'tbl', so that
the first and seconds lines' references to tbl[type] refer to different
objects.
This commit fixes the problem.
Found by libfuzzer.
Reported-by: Bhargava Shastry <[email protected]>
Signed-off-by: Ben Pfaff <[email protected]>
---
lib/odp-util.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/lib/odp-util.c b/lib/odp-util.c
index 45a890c46aa0..b7b6a2a9a785 100644
--- a/lib/odp-util.c
+++ b/lib/odp-util.c
@@ -3497,8 +3497,9 @@ generate_all_wildcard_mask(const struct attr_len_tbl
tbl[], int max,
size_t nested_mask;
if (tbl[type].next) {
- tbl = tbl[type].next;
- max = tbl[type].next_max;
+ const struct attr_len_tbl *entry = &tbl[type];
+ tbl = entry->next;
+ max = entry->next_max;
}
nested_mask = nl_msg_start_nested(ofp, type);
--
2.10.2
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
