From 9dbe4e889d2558b378dcae9ead57dc32ebc4a174 Mon Sep 17 00:00:00 2001
From: Ethan Jackson <ethan@nicira.com>
Date: Wed, 1 Aug 2012 13:01:01 -0700
Subject: [PATCH] flow: Fix wild pointer dereference in flow_compose().

The 'ip' variable in flow_compose() points to some memory allocated
in an ofpbuf.  The ofpbuf is modified without making the necessary
updates to the location of 'ip' causing a potential wild memory
access.

Found by inspection.

Signed-off-by: Ethan Jackson <ethan@nicira.com>
---
 lib/flow.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/flow.c b/lib/flow.c
index 6129703a..59b5fb7d 100644
--- a/lib/flow.c
+++ b/lib/flow.c
@@ -1065,6 +1065,7 @@ flow_compose(struct ofpbuf *b, const struct flow *flow)
             }
         }
 
+        ip = b->l3;
         ip->ip_tot_len = htons((uint8_t *) b->data + b->size
                                - (uint8_t *) b->l3);
     } else if (flow->dl_type == htons(ETH_TYPE_IPV6)) {
-- 
2.30.2