@@ -1978,18 +1978,21 @@ format_PUT_ND_RA_OPTS(const struct ovnact_put_opts *po,
static void
encode_put_nd_ra_option(const struct ovnact_gen_option *o,
- struct ofpbuf *ofpacts, struct ovs_ra_msg *ra)
+ struct ofpbuf *ofpacts, ptrdiff_t ra_offset)
{
const union expr_constant *c = o->value.values;
switch (o->option->code) {
case ND_RA_FLAG_ADDR_MODE:
+ {
+ struct ovs_ra_msg *ra = ofpbuf_at(ofpacts, ra_offset, sizeof *ra);
if (!strcmp(c->string, "dhcpv6_stateful")) {
ra->mo_flags = IPV6_ND_RA_FLAG_MANAGED_ADDR_CONFIG;
} else if (!strcmp(c->string, "dhcpv6_stateless")) {
ra->mo_flags = IPV6_ND_RA_FLAG_OTHER_ADDR_CONFIG;
}
break;
+ }
case ND_OPT_SOURCE_LINKADDR:
{
@@ -2051,6 +2054,7 @@ encode_PUT_ND_RA_OPTS(const struct ovnact_put_opts *po,
* pinctrl module receives the ICMPv6 Router Solicitation packet
* it can copy the userdata field AS IS and resume the packet.
*/
+ size_t ra_offset = ofpacts->size;
struct ovs_ra_msg *ra = ofpbuf_put_zeros(ofpacts, sizeof *ra);
ra->icmph.icmp6_type = ND_ROUTER_ADVERT;
ra->cur_hop_limit = IPV6_ND_RA_CUR_HOP_LIMIT;
@@ -2059,7 +2063,7 @@ encode_PUT_ND_RA_OPTS(const struct ovnact_put_opts *po,
for (const struct ovnact_gen_option *o = po->options;
o < &po->options[po->n_options]; o++) {
- encode_put_nd_ra_option(o, ofpacts, ra);
+ encode_put_nd_ra_option(o, ofpacts, ra_offset);
}
encode_finish_controller_op(oc_offset, ofpacts);
In general, maintaining a pointer into an ofpbuf is risky. As the ofpbuf grows, it can reallocate its data. If this happens, then pointers into the data will become invalid. A safer practice is to track an offset into the ofpbuf's data where a structure you are interested in is kept. This way, if the ofpbuf data is reallocated, you can find your structure again by using the offset. In practice, this patch is not fixing any issues with OVN. Even though the ra pointer is pointing to ofpbuf data that can be reallocated, it will never actually happen. ovn-northd and all test cases always encode the address mode first, meaning we will only ever read from the ra pointer before the ofpbuf has a chance to expand. However, this base work is essential for an upcoming patch in this series. Signed-off-by: Mark Michelson <mmichels@redhat.com> --- ovn/lib/actions.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)