ofproto-dpif: Avoid dereferencing possibly null or wild pointer.
authorBen Pfaff <blp@nicira.com>
Thu, 16 Aug 2012 18:33:21 +0000 (11:33 -0700)
committerBen Pfaff <blp@nicira.com>
Thu, 16 Aug 2012 23:13:21 +0000 (16:13 -0700)
If ofpacts_len is 0 then ofpacts->type is a bad reference.

(An early draft of ofpacts used an OFPACT_END sentinel so that there was
always data there in this function, but in review the sentinel got deleted
and I did not notice that this function needed an update.)

Found by valgrind.

Bug #12847.
Signed-off-by: Ben Pfaff <blp@nicira.com>
ofproto/ofproto-dpif.c

index d66c500e6a62f4d40e9626465f9ee35d37895a0f..ac1a9633ef5595042ecc0b750f77607ee5783eda 100644 (file)
@@ -3794,7 +3794,8 @@ facet_is_controller_flow(struct facet *facet)
         const struct ofpact *ofpacts = rule->ofpacts;
         size_t ofpacts_len = rule->ofpacts_len;
 
-        if (ofpacts->type == OFPACT_CONTROLLER &&
+        if (ofpacts_len > 0 &&
+            ofpacts->type == OFPACT_CONTROLLER &&
             ofpact_next(ofpacts) >= ofpact_end(ofpacts, ofpacts_len)) {
             return true;
         }