After ofpbug_put, actions may have been reallocated and key will point to invalid memory address.
Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10796 Signed-off-by: Yifeng Sun <[email protected]> --- lib/odp-util.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/lib/odp-util.c b/lib/odp-util.c index 890c71b7f336..7705bb30ae21 100644 --- a/lib/odp-util.c +++ b/lib/odp-util.c @@ -2242,13 +2242,14 @@ parse_odp_action(const char *s, const struct simap *port_names, key->nla_len += size; ofpbuf_put(actions, mask + 1, size); - /* Add new padding as needed */ - ofpbuf_put_zeros(actions, NLA_ALIGN(key->nla_len) - - key->nla_len); - /* 'actions' may have been reallocated by ofpbuf_put(). */ nested = ofpbuf_at_assert(actions, start_ofs, sizeof *nested); nested->nla_type = OVS_ACTION_ATTR_SET_MASKED; + + key = nested + 1; + /* Add new padding as needed */ + ofpbuf_put_zeros(actions, NLA_ALIGN(key->nla_len) - + key->nla_len); } } ofpbuf_uninit(&maskbuf); -- 2.7.4 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
