diff options
author | Ben Pfaff <blp@nicira.com> | 2012-06-23 22:34:39 -0700 |
---|---|---|
committer | Ben Pfaff <blp@nicira.com> | 2012-06-25 17:03:05 -0700 |
commit | 747449460209471701e1702b9bfaa71d0d4d1d91 (patch) | |
tree | 5883b675a579ff4b8063cfc4e9b1ff3aaba80002 | |
parent | 567a044a39d32955b965c1c3873ec902be5d6cc4 (diff) |
ofp-util: Avoid use-after-free in ofputil_encode_flow_mod().
nx_put_match() can reallocate the ofpbuf's data so we need to reload the
pointer.
Found by inspection.
Signed-off-by: Ben Pfaff <blp@nicira.com>
-rw-r--r-- | lib/ofp-util.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/ofp-util.c b/lib/ofp-util.c index 5aab3dfd..15340f6c 100644 --- a/lib/ofp-util.c +++ b/lib/ofp-util.c @@ -1159,10 +1159,10 @@ ofputil_encode_flow_mod(const struct ofputil_flow_mod *fm, msg = ofpbuf_new(sizeof *nfm + NXM_TYPICAL_LEN + actions_len); put_nxmsg(sizeof *nfm, NXT_FLOW_MOD, msg); + match_len = nx_put_match(msg, &fm->cr, fm->cookie, fm->cookie_mask); nfm = msg->data; nfm->command = htons(command); nfm->cookie = fm->new_cookie; - match_len = nx_put_match(msg, &fm->cr, fm->cookie, fm->cookie_mask); nfm->idle_timeout = htons(fm->idle_timeout); nfm->hard_timeout = htons(fm->hard_timeout); nfm->priority = htons(fm->cr.priority); |