ofproto: Fix write-after-free error in compose_nx_flow_removed().

diff --git a/lib/nx-match.c b/lib/nx-match.c
index c1d8fa84e1bd265a7d3cae9a60db69e82f7c64a1..0b87fc92f7ef1916f726a39b8f4798f2130a681c 100644 (file)
--- a/lib/nx-match.c
+++ b/lib/nx-match.c
@@ -562,6 +562,16 @@ nxm_put_eth_dst(struct ofpbuf *b,
     }
 }
 
+/* Appends to 'b' the nx_match format that expresses 'cr' (except for
+ * 'cr->priority', because priority is not part of nx_match), plus enough
+ * zero bytes to pad the nx_match out to a multiple of 8.
+ *
+ * This function can cause 'b''s data to be reallocated.
+ *
+ * Returns the number of bytes appended to 'b', excluding padding.
+ *
+ * If 'cr' is a catch-all rule that matches every packet, then this function
+ * appends nothing to 'b' and returns 0. */
 int
 nx_put_match(struct ofpbuf *b, const struct cls_rule *cr)
 {

diff --git a/ofproto/ofproto.c b/ofproto/ofproto.c
index 8b52b80ade0757c01f024d828ff7114ba421d664..5cd76df81301cab9a61ad2ceb20506cacdf0aa34 100644 (file)
--- a/ofproto/ofproto.c
+++ b/ofproto/ofproto.c
@@ -4698,10 +4698,10 @@ compose_nx_flow_removed(const struct rule *rule, uint8_t reason)
     struct ofpbuf *buf;
     int match_len;
 
-    nfr = make_nxmsg(sizeof *nfr, NXT_FLOW_REMOVED, &buf);
+    make_nxmsg(sizeof *nfr, NXT_FLOW_REMOVED, &buf);
 
     match_len = nx_put_match(buf, &rule->cr);
-
+    nfr = buf->data;
     nfr->cookie = rule->flow_cookie;
     nfr->priority = htons(rule->cr.priority);
     nfr->reason = reason;