| Message ID | 1547810338-84381-1-git-send-email-cpp.code.lv@gmail.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [ovs-dev] ofpbuf: fixed a bug in ofpbuf_insert | expand |
On 18.01.2019 14:18, Toms Atteka wrote: > memmove byte count was calculated incorrectly as ofpbuf_put_uninit > is increasing b->size by n. > > This patch fixes it by deducing byte count by n. > > Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12296 > Signed-off-by: Toms Atteka <cpp.code.lv@gmail.com> > --- > lib/ofpbuf.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/lib/ofpbuf.c b/lib/ofpbuf.c > index 9c06236..91a5295 100644 > --- a/lib/ofpbuf.c > +++ b/lib/ofpbuf.c > @@ -469,9 +469,9 @@ void > ofpbuf_insert(struct ofpbuf *b, size_t offset, const void *data, size_t n) > { > if (offset < b->size) { > - ofpbuf_put_uninit(b, n); > + ofpbuf_put_uninit(b, n); // b->size gets increased Please, don't use C99 style comments. Use /* */ instead. > memmove((char *) b->data + offset + n, (char *) b->data + offset, > - b->size - offset); > + b->size - offset - n); > memcpy((char *) b->data + offset, data, n); > } else { > ovs_assert(offset == b->size); >
On Fri, Jan 18, 2019 at 03:53:46PM +0300, Ilya Maximets wrote: > On 18.01.2019 14:18, Toms Atteka wrote: > > memmove byte count was calculated incorrectly as ofpbuf_put_uninit > > is increasing b->size by n. > > > > This patch fixes it by deducing byte count by n. > > > > Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12296 > > Signed-off-by: Toms Atteka <cpp.code.lv@gmail.com> > > --- > > lib/ofpbuf.c | 4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > diff --git a/lib/ofpbuf.c b/lib/ofpbuf.c > > index 9c06236..91a5295 100644 > > --- a/lib/ofpbuf.c > > +++ b/lib/ofpbuf.c > > @@ -469,9 +469,9 @@ void > > ofpbuf_insert(struct ofpbuf *b, size_t offset, const void *data, size_t n) > > { > > if (offset < b->size) { > > - ofpbuf_put_uninit(b, n); > > + ofpbuf_put_uninit(b, n); // b->size gets increased > > Please, don't use C99 style comments. Use /* */ instead. I fixed that up, applied this to master and then backported it as far as branch-2.6.
diff --git a/lib/ofpbuf.c b/lib/ofpbuf.c index 9c06236..91a5295 100644 --- a/lib/ofpbuf.c +++ b/lib/ofpbuf.c @@ -469,9 +469,9 @@ void ofpbuf_insert(struct ofpbuf *b, size_t offset, const void *data, size_t n) { if (offset < b->size) { - ofpbuf_put_uninit(b, n); + ofpbuf_put_uninit(b, n); // b->size gets increased memmove((char *) b->data + offset + n, (char *) b->data + offset, - b->size - offset); + b->size - offset - n); memcpy((char *) b->data + offset, data, n); } else { ovs_assert(offset == b->size);
memmove byte count was calculated incorrectly as ofpbuf_put_uninit is increasing b->size by n. This patch fixes it by deducing byte count by n. Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12296 Signed-off-by: Toms Atteka <cpp.code.lv@gmail.com> --- lib/ofpbuf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)