Message ID | 1457133534-18913-1-git-send-email-u9012063@gmail.com |
---|---|
State | Accepted |
Headers | show |
On 4 March 2016 at 15:18, William Tu <u9012063@gmail.com> wrote: > It is possible for ofpbuf_put() to realloc a newly allocated address, > casuing the previously referenced pointer, ogds, points to old/free'd > address. The issue is generated by forcing ofpbuf_put() to use newly > allocated buffer and valgrind reports invalid write. The similiar syndrome > is reported at: https://patchwork.ozlabs.org/patch/591330/ > > Invalid write of size 2 > ofputil_append_ofp15_group_desc_reply (ofp-util.c:8367) > ofputil_append_group_desc_reply (ofp-util.c:8392) > append_group_desc (ofproto.c:6262) > handle_group_request (ofproto.c:6230) > handle_group_desc_stats_request (ofproto.c:6269) > handle_openflow__ (ofproto.c:7337) > handle_openflow (ofproto.c:7403) > ofconn_run (connmgr.c:1379) > connmgr_run (connmgr.c:323) > ofproto_run (ofproto.c:1762) > bridge_run__ (bridge.c:2885) > bridge_run (bridge.c:2940) > main (ovs-vswitchd.c:120) > > Address 0x7cb1020 is 144 bytes inside a block of size 1,144 free'd > free (vg_replace_malloc.c:530) > ofpbuf_resize__ (ofpbuf.c:246) > ofpbuf_put (ofpbuf.c:386) > nx_put_header__ (nx-match.c:1241) > nxm_put__ (nx-match.c:697) > oxm_put_field_array (nx-match.c:1226) > ofputil_put_group_prop_ntr_selection_method (ofp-util.c:8305) > ofputil_append_ofp15_group_desc_reply (ofp-util.c:8364) > ofputil_append_group_desc_reply (ofp-util.c:8392) > append_group_desc (ofproto.c:6262) > > Signed-off-by: William Tu <u9012063@gmail.com> Thanks, applied to master, branch-2.5 and branch-2.4.
diff --git a/lib/ofp-util.c b/lib/ofp-util.c index aae389d..11374d0 100644 --- a/lib/ofp-util.c +++ b/lib/ofp-util.c @@ -8364,6 +8364,7 @@ ofputil_append_ofp15_group_desc_reply(const struct ofputil_group_desc *gds, ofputil_put_group_prop_ntr_selection_method(version, &gds->props, reply); } + ogds = ofpbuf_at_assert(reply, start_ogds, sizeof *ogds); ogds->length = htons(reply->size - start_ogds); ofpmp_postappend(replies, start_ogds);
It is possible for ofpbuf_put() to realloc a newly allocated address, casuing the previously referenced pointer, ogds, points to old/free'd address. The issue is generated by forcing ofpbuf_put() to use newly allocated buffer and valgrind reports invalid write. The similiar syndrome is reported at: https://patchwork.ozlabs.org/patch/591330/ Invalid write of size 2 ofputil_append_ofp15_group_desc_reply (ofp-util.c:8367) ofputil_append_group_desc_reply (ofp-util.c:8392) append_group_desc (ofproto.c:6262) handle_group_request (ofproto.c:6230) handle_group_desc_stats_request (ofproto.c:6269) handle_openflow__ (ofproto.c:7337) handle_openflow (ofproto.c:7403) ofconn_run (connmgr.c:1379) connmgr_run (connmgr.c:323) ofproto_run (ofproto.c:1762) bridge_run__ (bridge.c:2885) bridge_run (bridge.c:2940) main (ovs-vswitchd.c:120) Address 0x7cb1020 is 144 bytes inside a block of size 1,144 free'd free (vg_replace_malloc.c:530) ofpbuf_resize__ (ofpbuf.c:246) ofpbuf_put (ofpbuf.c:386) nx_put_header__ (nx-match.c:1241) nxm_put__ (nx-match.c:697) oxm_put_field_array (nx-match.c:1226) ofputil_put_group_prop_ntr_selection_method (ofp-util.c:8305) ofputil_append_ofp15_group_desc_reply (ofp-util.c:8364) ofputil_append_group_desc_reply (ofp-util.c:8392) append_group_desc (ofproto.c:6262) Signed-off-by: William Tu <u9012063@gmail.com> --- lib/ofp-util.c | 1 + 1 file changed, 1 insertion(+)