diff mbox series

[ovs-dev,07/10] packets: Fix use-after-free error in packet_put_ra_prefix_opt().

Message ID 20181115060534.7146-7-blp@ovn.org
State Accepted
Headers show
Series [ovs-dev,01/10] ovsdb-idl: Avoid sending transactions when the DB is not synced up. | expand

Commit Message

Ben Pfaff Nov. 15, 2018, 6:05 a.m. UTC 
dp_packet_put_uninit() can reallocate the data buffer, so find the L4
header pointer afterward instead of before.

Found by Address Sanitizer.

Signed-off-by: Ben Pfaff <blp@ovn.org>
---
 lib/packets.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/lib/packets.c b/lib/packets.c
index 38bfb6015b9e..2d6f77b919a5 100644
--- a/lib/packets.c
+++ b/lib/packets.c
@@ -1613,7 +1613,6 @@  packet_put_ra_prefix_opt(struct dp_packet *b,
     struct ip6_hdr *nh = dp_packet_l3(b);
     nh->ip6_plen = htons(prev_l4_size + ND_PREFIX_OPT_LEN);
 
-    struct ovs_ra_msg *ra = dp_packet_l4(b);
     struct ovs_nd_prefix_opt *prefix_opt =
         dp_packet_put_uninit(b, sizeof *prefix_opt);
     prefix_opt->type = ND_OPT_PREFIX_INFORMATION;
@@ -1625,6 +1624,7 @@  packet_put_ra_prefix_opt(struct dp_packet *b,
     put_16aligned_be32(&prefix_opt->reserved, 0);
     memcpy(prefix_opt->prefix.be32, prefix.be32, sizeof(ovs_be32[4]));
 
+    struct ovs_ra_msg *ra = dp_packet_l4(b);
     ra->icmph.icmp6_cksum = 0;
     uint32_t icmp_csum = packet_csum_pseudoheader6(dp_packet_l3(b));
     ra->icmph.icmp6_cksum = csum_finish(csum_continue(