From 4d0ed51998b35595474d62f6696928c8d0cd209e Mon Sep 17 00:00:00 2001 From: Ben Pfaff Date: Wed, 15 Dec 2010 09:48:16 -0800 Subject: [PATCH] ofproto: Fix write-after-free error in compose_nx_flow_removed(). --- lib/nx-match.c | 10 ++++++++++ ofproto/ofproto.c | 4 ++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/lib/nx-match.c b/lib/nx-match.c index c1d8fa84..0b87fc92 100644 --- a/lib/nx-match.c +++ b/lib/nx-match.c @@ -562,6 +562,16 @@ nxm_put_eth_dst(struct ofpbuf *b, } } +/* Appends to 'b' the nx_match format that expresses 'cr' (except for + * 'cr->priority', because priority is not part of nx_match), plus enough + * zero bytes to pad the nx_match out to a multiple of 8. + * + * This function can cause 'b''s data to be reallocated. + * + * Returns the number of bytes appended to 'b', excluding padding. + * + * If 'cr' is a catch-all rule that matches every packet, then this function + * appends nothing to 'b' and returns 0. */ int nx_put_match(struct ofpbuf *b, const struct cls_rule *cr) { diff --git a/ofproto/ofproto.c b/ofproto/ofproto.c index 8b52b80a..5cd76df8 100644 --- a/ofproto/ofproto.c +++ b/ofproto/ofproto.c @@ -4698,10 +4698,10 @@ compose_nx_flow_removed(const struct rule *rule, uint8_t reason) struct ofpbuf *buf; int match_len; - nfr = make_nxmsg(sizeof *nfr, NXT_FLOW_REMOVED, &buf); + make_nxmsg(sizeof *nfr, NXT_FLOW_REMOVED, &buf); match_len = nx_put_match(buf, &rule->cr); - + nfr = buf->data; nfr->cookie = rule->flow_cookie; nfr->priority = htons(rule->cr.priority); nfr->reason = reason; -- 2.30.2