dpctl: Fix use-after-free in "probe" command.
authorBen Pfaff <blp@nicira.com>
Fri, 9 Jan 2009 01:13:30 +0000 (17:13 -0800)
committerBen Pfaff <blp@nicira.com>
Tue, 13 Jan 2009 01:00:29 +0000 (17:00 -0800)
Found by Chris Eagle via Fortify.

utilities/dpctl.c

index 0113d9674d4144a4292d47ef91c701b363be1222..80f8a46103ecae516f6d27412ff86b9b086b9668 100644 (file)
@@ -1159,7 +1159,7 @@ do_probe(const struct settings *s UNUSED, int argc UNUSED, char *argv[])
     make_openflow(sizeof(struct ofp_header), OFPT_ECHO_REQUEST, &request);
     open_vconn(argv[1], &vconn);
     run(vconn_transact(vconn, request, &reply), "talking to %s", argv[1]);
-    if (reply->size != request->size) {
+    if (reply->size != sizeof(struct ofp_header)) {
         ofp_fatal(0, "reply does not match request");
     }
     ofpbuf_delete(reply);