From f299fbeb4bd21a454ca598de36ddf6e7fa995f40 Mon Sep 17 00:00:00 2001
From: Ben Pfaff <blp@nicira.com>
Date: Thu, 1 Dec 2011 08:33:55 -0800
Subject: [PATCH] learn: Avoid 1-byte buffer underrun in learn_format().

Reported-and-tested-by: Jari Sundell <sundell.software@gmail.com>
---
 lib/learn.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/lib/learn.c b/lib/learn.c
index 19a0e009..9d97cb35 100644
--- a/lib/learn.c
+++ b/lib/learn.c
@@ -621,6 +621,17 @@ learn_format(const struct nx_action_learn *learn, struct ds *s)
                 union mf_value value;
                 uint8_t *bytes = (uint8_t *) &value;
 
+                if (src_value_bytes > dst_field->n_bytes) {
+                    /* The destination field is an odd number of bytes, which
+                     * got rounded up to a multiple of 2 to be put into the
+                     * learning action.  Skip over the leading byte, which
+                     * should be zero anyway.  Otherwise the memcpy() below
+                     * will overrun the start of 'value'. */
+                    int diff = src_value_bytes - dst_field->n_bytes;
+                    src_value += diff;
+                    src_value_bytes -= diff;
+                }
+
                 memset(&value, 0, sizeof value);
                 memcpy(&bytes[dst_field->n_bytes - src_value_bytes],
                        src_value, src_value_bytes);
-- 
2.30.2