{"id":817062,"url":"http://patchwork.ozlabs.org/api/patches/817062/?format=json","web_url":"http://patchwork.ozlabs.org/project/openvswitch/patch/20170921165958.3218-3-blp@ovn.org/","project":{"id":47,"url":"http://patchwork.ozlabs.org/api/projects/47/?format=json","name":"Open vSwitch","link_name":"openvswitch","list_id":"ovs-dev.openvswitch.org","list_email":"ovs-dev@openvswitch.org","web_url":"http://openvswitch.org/","scm_url":"git@github.com:openvswitch/ovs.git","webscm_url":"https://github.com/openvswitch/ovs","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20170921165958.3218-3-blp@ovn.org>","list_archive_url":null,"date":"2017-09-21T16:59:57","name":"[ovs-dev,v4,2/3] ofp-util: Fix memory leaks on error cases in ofputil_decode_group_mod().","commit_ref":null,"pull_url":null,"state":"accepted","archived":false,"hash":"80113a122cf36bea7b817c2b3ebdb94b91a89041","submitter":{"id":67603,"url":"http://patchwork.ozlabs.org/api/people/67603/?format=json","name":"Ben Pfaff","email":"blp@ovn.org"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/openvswitch/patch/20170921165958.3218-3-blp@ovn.org/mbox/","series":[{"id":4447,"url":"http://patchwork.ozlabs.org/api/series/4447/?format=json","web_url":"http://patchwork.ozlabs.org/project/openvswitch/list/?series=4447","date":"2017-09-21T16:59:55","name":"Fix memory leaks and overreads in ofp-util","version":4,"mbox":"http://patchwork.ozlabs.org/series/4447/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/817062/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/817062/checks/","tags":{},"related":[],"headers":{"Return-Path":"<ovs-dev-bounces@openvswitch.org>","X-Original-To":["incoming@patchwork.ozlabs.org","dev@openvswitch.org"],"Delivered-To":["patchwork-incoming@bilbo.ozlabs.org","ovs-dev@mail.linuxfoundation.org"],"Authentication-Results":"ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=openvswitch.org\n\t(client-ip=140.211.169.12; helo=mail.linuxfoundation.org;\n\tenvelope-from=ovs-dev-bounces@openvswitch.org;\n\treceiver=<UNKNOWN>)","Received":["from mail.linuxfoundation.org (mail.linuxfoundation.org\n\t[140.211.169.12])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256\n\tbits)) (No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xyjgn1NPgz9t4r\n\tfor <incoming@patchwork.ozlabs.org>;\n\tFri, 22 Sep 2017 03:06:29 +1000 (AEST)","from mail.linux-foundation.org (localhost [127.0.0.1])\n\tby mail.linuxfoundation.org (Postfix) with ESMTP id 970A1BD0;\n\tThu, 21 Sep 2017 17:05:18 +0000 (UTC)","from smtp1.linuxfoundation.org (smtp1.linux-foundation.org\n\t[172.17.192.35])\n\tby mail.linuxfoundation.org (Postfix) with ESMTPS id BF416B76\n\tfor <dev@openvswitch.org>; Thu, 21 Sep 2017 17:05:17 +0000 (UTC)","from relay6-d.mail.gandi.net (relay6-d.mail.gandi.net\n\t[217.70.183.198])\n\tby smtp1.linuxfoundation.org (Postfix) with ESMTPS id 49FEC41D\n\tfor <dev@openvswitch.org>; Thu, 21 Sep 2017 17:05:17 +0000 (UTC)","from sigabrt.gateway.sonic.net\n\t(173-228-112-34.dsl.dynamic.fusionbroadband.com [173.228.112.34])\n\t(Authenticated sender: blp@ovn.org)\n\tby relay6-d.mail.gandi.net (Postfix) with ESMTPSA id CFDF7FB881;\n\tThu, 21 Sep 2017 19:05:12 +0200 (CEST)"],"X-Greylist":"domain auto-whitelisted by SQLgrey-1.7.6","X-Originating-IP":"173.228.112.34","From":"Ben Pfaff <blp@ovn.org>","To":"dev@openvswitch.org","Date":"Thu, 21 Sep 2017 09:59:57 -0700","Message-Id":"<20170921165958.3218-3-blp@ovn.org>","X-Mailer":"git-send-email 2.10.2","In-Reply-To":"<20170921165958.3218-1-blp@ovn.org>","References":"<20170921165958.3218-1-blp@ovn.org>","X-Spam-Status":"No, score=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW\n\tautolearn=disabled version=3.3.1","X-Spam-Checker-Version":"SpamAssassin 3.3.1 (2010-03-16) on\n\tsmtp1.linux-foundation.org","Cc":"Ben Pfaff <blp@ovn.org>,\n\tBhargava Shastry <bshastry@sec.t-labs.tu-berlin.de>","Subject":"[ovs-dev] [PATCH v4 2/3] ofp-util: Fix memory leaks on error cases\n\tin ofputil_decode_group_mod().","X-BeenThere":"ovs-dev@openvswitch.org","X-Mailman-Version":"2.1.12","Precedence":"list","List-Id":"<ovs-dev.openvswitch.org>","List-Unsubscribe":"<https://mail.openvswitch.org/mailman/options/ovs-dev>,\n\t<mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>","List-Archive":"<http://mail.openvswitch.org/pipermail/ovs-dev/>","List-Post":"<mailto:ovs-dev@openvswitch.org>","List-Help":"<mailto:ovs-dev-request@openvswitch.org?subject=help>","List-Subscribe":"<https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,\n\t<mailto:ovs-dev-request@openvswitch.org?subject=subscribe>","MIME-Version":"1.0","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Sender":"ovs-dev-bounces@openvswitch.org","Errors-To":"ovs-dev-bounces@openvswitch.org"},"content":"Found by libFuzzer.\n\nReported-by: Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de>\nSigned-off-by: Ben Pfaff <blp@ovn.org>\n---\n lib/ofp-util.c | 82 ++++++++++++++++++++++++++++++++++------------------------\n 1 file changed, 48 insertions(+), 34 deletions(-)","diff":"diff --git a/lib/ofp-util.c b/lib/ofp-util.c\nindex e915cb2ab2d7..2309a2ad2515 100644\n--- a/lib/ofp-util.c\n+++ b/lib/ofp-util.c\n@@ -9174,6 +9174,7 @@ ofputil_pull_ofp11_buckets(struct ofpbuf *msg, size_t buckets_length,\n         if (!ob) {\n             VLOG_WARN_RL(&bad_ofmsg_rl, \"buckets end with %\"PRIuSIZE\" leftover bytes\",\n                          buckets_length);\n+            ofputil_bucket_list_destroy(buckets);\n             return OFPERR_OFPGMFC_BAD_BUCKET;\n         }\n \n@@ -9181,11 +9182,13 @@ ofputil_pull_ofp11_buckets(struct ofpbuf *msg, size_t buckets_length,\n         if (ob_len < sizeof *ob) {\n             VLOG_WARN_RL(&bad_ofmsg_rl, \"OpenFlow message bucket length \"\n                          \"%\"PRIuSIZE\" is not valid\", ob_len);\n+            ofputil_bucket_list_destroy(buckets);\n             return OFPERR_OFPGMFC_BAD_BUCKET;\n         } else if (ob_len > buckets_length) {\n             VLOG_WARN_RL(&bad_ofmsg_rl, \"OpenFlow message bucket length \"\n                          \"%\"PRIuSIZE\" exceeds remaining buckets data size %\"PRIuSIZE,\n                          ob_len, buckets_length);\n+            ofputil_bucket_list_destroy(buckets);\n             return OFPERR_OFPGMFC_BAD_BUCKET;\n         }\n         buckets_length -= ob_len;\n@@ -9817,6 +9820,7 @@ ofputil_pull_ofp11_group_mod(struct ofpbuf *msg, enum ofp_version ofp_version,\n         && gm->command == OFPGC11_DELETE\n         && !ovs_list_is_empty(&gm->buckets)) {\n         error = OFPERR_OFPGMFC_INVALID_GROUP;\n+        ofputil_bucket_list_destroy(&gm->buckets);\n     }\n \n     return error;\n@@ -9881,41 +9885,9 @@ ofputil_pull_ofp15_group_mod(struct ofpbuf *msg, enum ofp_version ofp_version,\n                                         msg->size);\n }\n \n-/* Converts OpenFlow group mod message 'oh' into an abstract group mod in\n- * 'gm'.  Returns 0 if successful, otherwise an OpenFlow error code. */\n-enum ofperr\n-ofputil_decode_group_mod(const struct ofp_header *oh,\n-                         struct ofputil_group_mod *gm)\n+static enum ofperr\n+ofputil_check_group_mod(const struct ofputil_group_mod *gm)\n {\n-    ofputil_init_group_properties(&gm->props);\n-\n-    enum ofp_version ofp_version = oh->version;\n-    struct ofpbuf msg = ofpbuf_const_initializer(oh, ntohs(oh->length));\n-    ofpraw_pull_assert(&msg);\n-\n-    enum ofperr err;\n-    switch (ofp_version)\n-    {\n-    case OFP11_VERSION:\n-    case OFP12_VERSION:\n-    case OFP13_VERSION:\n-    case OFP14_VERSION:\n-        err = ofputil_pull_ofp11_group_mod(&msg, ofp_version, gm);\n-        break;\n-\n-    case OFP15_VERSION:\n-    case OFP16_VERSION:\n-        err = ofputil_pull_ofp15_group_mod(&msg, ofp_version, gm);\n-        break;\n-\n-    case OFP10_VERSION:\n-    default:\n-        OVS_NOT_REACHED();\n-    }\n-    if (err) {\n-        return err;\n-    }\n-\n     switch (gm->type) {\n     case OFPGT11_INDIRECT:\n         if (gm->command != OFPGC11_DELETE\n@@ -9977,6 +9949,48 @@ ofputil_decode_group_mod(const struct ofp_header *oh,\n     return 0;\n }\n \n+/* Converts OpenFlow group mod message 'oh' into an abstract group mod in\n+ * 'gm'.  Returns 0 if successful, otherwise an OpenFlow error code. */\n+enum ofperr\n+ofputil_decode_group_mod(const struct ofp_header *oh,\n+                         struct ofputil_group_mod *gm)\n+{\n+    ofputil_init_group_properties(&gm->props);\n+\n+    enum ofp_version ofp_version = oh->version;\n+    struct ofpbuf msg = ofpbuf_const_initializer(oh, ntohs(oh->length));\n+    ofpraw_pull_assert(&msg);\n+\n+    enum ofperr err;\n+    switch (ofp_version)\n+    {\n+    case OFP11_VERSION:\n+    case OFP12_VERSION:\n+    case OFP13_VERSION:\n+    case OFP14_VERSION:\n+        err = ofputil_pull_ofp11_group_mod(&msg, ofp_version, gm);\n+        break;\n+\n+    case OFP15_VERSION:\n+    case OFP16_VERSION:\n+        err = ofputil_pull_ofp15_group_mod(&msg, ofp_version, gm);\n+        break;\n+\n+    case OFP10_VERSION:\n+    default:\n+        OVS_NOT_REACHED();\n+    }\n+    if (err) {\n+        return err;\n+    }\n+\n+    err = ofputil_check_group_mod(gm);\n+    if (err) {\n+        ofputil_uninit_group_mod(gm);\n+    }\n+    return err;\n+}\n+\n /* Destroys 'bms'. */\n void\n ofputil_free_bundle_msgs(struct ofputil_bundle_msg *bms, size_t n_bms)\n","prefixes":["ovs-dev","v4","2/3"]}