On 18.01.2019 14:18, Toms Atteka wrote:
> memmove byte count was calculated incorrectly as ofpbuf_put_uninit
> is increasing b->size by n.
>
> This patch fixes it by deducing byte count by n.
>
> Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12296
> Signed-off-by: Toms Atteka <[email protected]>
> ---
> lib/ofpbuf.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/lib/ofpbuf.c b/lib/ofpbuf.c
> index 9c06236..91a5295 100644
> --- a/lib/ofpbuf.c
> +++ b/lib/ofpbuf.c
> @@ -469,9 +469,9 @@ void
> ofpbuf_insert(struct ofpbuf *b, size_t offset, const void *data, size_t n)
> {
> if (offset < b->size) {
> - ofpbuf_put_uninit(b, n);
> + ofpbuf_put_uninit(b, n); // b->size gets increased
Please, don't use C99 style comments. Use /* */ instead.
> memmove((char *) b->data + offset + n, (char *) b->data + offset,
> - b->size - offset);
> + b->size - offset - n);
> memcpy((char *) b->data + offset, data, n);
> } else {
> ovs_assert(offset == b->size);
>
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
