git.proxmox.com Git - ovs.git/commit

author	Joe Stringer <joe@ovn.org>
	Mon, 7 Mar 2016 23:36:37 +0000 (15:36 -0800)
committer	Joe Stringer <joe@ovn.org>
	Tue, 29 Mar 2016 21:11:16 +0000 (10:11 +1300)
commit	ebe12cd3e1ea2cb7866438cd171464bc5f9fcc8f
tree	aa70f5369982a2e1bbd7628b19484064beb67bb4	tree
parent	e659c96bca2c9dbb800ce7882610fd39172c1cef	commit \| diff

ofp-actions: Fix use-after-free with ofpact_finish().

ofpact_finish() may now reallocate the buffer it is passed, but not all
callers updated their local pointers to the current action in the
buffer. This could potentially lead to several use-after-free bugs.

Update ofpact_finish() to return the new pointer to the ofpact which is
provided, and update the calling points to ensure that their local
pointers are pointing into the correct (potentially reallocated) buffer.

Fixes: 2bd318dec242 ("ofp-actions: Make composing actions harder to screw up.")
Reported-by: William Tu <u9012063@gmail.com>
Signed-off-by: Joe Stringer <joe@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
Acked-by: Ryan Moats <rmoats@us.ibm.com>

lib/bundle.c		diff \| blob \| blame \| history
lib/ofp-actions.c		diff \| blob \| blame \| history
lib/ofp-actions.h		diff \| blob \| blame \| history
ofproto/ofproto-dpif.c		diff \| blob \| blame \| history