memmove byte count was calculated incorrectly as ofpbuf_put_uninit is increasing b->size by n.
This patch fixes it by deducing byte count by n. Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12296 Signed-off-by: Toms Atteka <[email protected]> --- lib/ofpbuf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/ofpbuf.c b/lib/ofpbuf.c index 9c06236..91a5295 100644 --- a/lib/ofpbuf.c +++ b/lib/ofpbuf.c @@ -469,9 +469,9 @@ void ofpbuf_insert(struct ofpbuf *b, size_t offset, const void *data, size_t n) { if (offset < b->size) { - ofpbuf_put_uninit(b, n); + ofpbuf_put_uninit(b, n); // b->size gets increased memmove((char *) b->data + offset + n, (char *) b->data + offset, - b->size - offset); + b->size - offset - n); memcpy((char *) b->data + offset, data, n); } else { ovs_assert(offset == b->size); -- 2.7.4 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
