From patchwork Wed Dec 23 21:37:23 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andy Zhou X-Patchwork-Id: 560742 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from archives.nicira.com (unknown [IPv6:2600:3c00::f03c:91ff:fe6e:bdf7]) by ozlabs.org (Postfix) with ESMTP id 4D81A140BA3 for ; Thu, 24 Dec 2015 08:38:11 +1100 (AEDT) Received: from archives.nicira.com (localhost [127.0.0.1]) by archives.nicira.com (Postfix) with ESMTP id E218210C48; Wed, 23 Dec 2015 13:38:09 -0800 (PST) X-Original-To: dev@openvswitch.org Delivered-To: dev@openvswitch.org Received: from mx3v3.cudamail.com (mx3.cudamail.com [64.34.241.5]) by archives.nicira.com (Postfix) with ESMTPS id 6C72110C38 for ; Wed, 23 Dec 2015 13:38:08 -0800 (PST) Received: from bar3.cudamail.com (localhost [127.0.0.1]) by mx3v3.cudamail.com (Postfix) with ESMTPS id 01854161093 for ; Wed, 23 Dec 2015 14:38:08 -0700 (MST) X-ASG-Debug-ID: 1450906687-03dd7b16ca0b920001-byXFYA Received: from mx3-pf2.cudamail.com ([192.168.14.1]) by bar3.cudamail.com with ESMTP id FUlAIEnslHwekUE6 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 23 Dec 2015 14:38:07 -0700 (MST) X-Barracuda-Envelope-From: azhou@ovn.org X-Barracuda-RBL-Trusted-Forwarder: 192.168.14.1 Received: from unknown (HELO relay6-d.mail.gandi.net) (217.70.183.198) by mx3-pf2.cudamail.com with ESMTPS (DHE-RSA-AES256-SHA encrypted); 23 Dec 2015 21:38:07 -0000 Received-SPF: pass (mx3-pf2.cudamail.com: SPF record at ovn.org designates 217.70.183.198 as permitted sender) X-Barracuda-Apparent-Source-IP: 217.70.183.198 X-Barracuda-RBL-IP: 217.70.183.198 Received: from mfilter45-d.gandi.net (mfilter45-d.gandi.net [217.70.178.176]) by relay6-d.mail.gandi.net (Postfix) with ESMTP id 8C6E9FB887 for ; Wed, 23 Dec 2015 22:38:05 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at mfilter45-d.gandi.net Received: from relay6-d.mail.gandi.net ([IPv6:::ffff:217.70.183.198]) by mfilter45-d.gandi.net (mfilter45-d.gandi.net [::ffff:10.0.15.180]) (amavisd-new, port 10024) with ESMTP id tm-WflEVmHWV for ; Wed, 23 Dec 2015 22:38:04 +0100 (CET) X-Originating-IP: 74.125.82.45 Received: from mail-wm0-f45.google.com (mail-wm0-f45.google.com [74.125.82.45]) (Authenticated sender: azhou@ovn.org) by relay6-d.mail.gandi.net (Postfix) with ESMTPSA id 21A4EFB8A0 for ; Wed, 23 Dec 2015 22:38:03 +0100 (CET) Received: by mail-wm0-f45.google.com with SMTP id p187so163491136wmp.0 for ; Wed, 23 Dec 2015 13:38:03 -0800 (PST) X-Received: by 10.194.75.202 with SMTP id e10mr40278430wjw.160.1450906682912; Wed, 23 Dec 2015 13:38:02 -0800 (PST) MIME-Version: 1.0 Received: by 10.27.81.78 with HTTP; Wed, 23 Dec 2015 13:37:23 -0800 (PST) In-Reply-To: <20151223172601.GB12011@ovn.org> References: <1450248689-4810-1-git-send-email-blp@ovn.org> <20151223172601.GB12011@ovn.org> X-CudaMail-Envelope-Sender: azhou@ovn.org From: Andy Zhou Date: Wed, 23 Dec 2015 13:37:23 -0800 X-Gmail-Original-Message-ID: Message-ID: X-CudaMail-Whitelist-To: dev@openvswitch.org X-CudaMail-MID: CM-V2-1222052146 X-CudaMail-DTE: 122315 X-CudaMail-Originating-IP: 217.70.183.198 To: Ben Pfaff X-ASG-Orig-Subj: [##CM-V2-1222052146##]Re: [ovs-dev] [PATCH] ofp-util: Avoid use-after-free error in ofputil_append_meter_config() X-Barracuda-Connect: UNKNOWN[192.168.14.1] X-Barracuda-Start-Time: 1450906687 X-Barracuda-Encrypted: DHE-RSA-AES256-SHA X-Barracuda-URL: https://web.cudamail.com:443/cgi-mod/mark.cgi X-ASG-Whitelist: Header =?UTF-8?B?eFwtY3VkYW1haWxcLXdoaXRlbGlzdFwtdG8=?= X-Virus-Scanned: by bsmtpd at cudamail.com X-Barracuda-BRTS-Status: 1 X-Content-Filtered-By: Mailman/MimeDel 2.1.16 Cc: "dev@openvswitch.org" , weizj <334965317@qq.com> Subject: Re: [ovs-dev] [PATCH] ofp-util: Avoid use-after-free error in ofputil_append_meter_config() X-BeenThere: dev@openvswitch.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@openvswitch.org Sender: "dev" On Wed, Dec 23, 2015 at 9:26 AM, Ben Pfaff wrote: > On Fri, Dec 18, 2015 at 02:51:43PM -0800, Andy Zhou wrote: > > On Tue, Dec 15, 2015 at 10:51 PM, Ben Pfaff wrote: > > > Reported-by: weizj <334965317@qq.com> > > > Reported-at: https://github.com/openvswitch/ovs/pull/97 > > > Signed-off-by: Ben Pfaff > > > > This fix makes sense to me. > > Acked-by: Andy Zhou > > Thanks for the review. > > > If all assignments to 'reply' were grouped together, it may be > > slightly easier to read. > > What do you mean? > This is what I mean. ofpmp_postappend(replies, start_ofs); } > _______________________________________________ > dev mailing list > dev@openvswitch.org > http://openvswitch.org/mailman/listinfo/dev > diff --git a/lib/ofp-util.c b/lib/ofp-util.c index 126b555..24d96f7 100644 --- a/lib/ofp-util.c +++ b/lib/ofp-util.c @@ -2033,13 +2033,16 @@ ofputil_append_meter_config(struct ovs_list *replies, { struct ofpbuf *msg = ofpbuf_from_list(list_back(replies)); size_t start_ofs = msg->size; - struct ofp13_meter_config *reply = ofpbuf_put_uninit(msg, sizeof *reply); - reply->flags = htons(mc->flags); - reply->meter_id = htonl(mc->meter_id); + struct ofp13_meter_config *reply; + ofpbuf_put_uninit(msg, sizeof *reply); ofputil_put_bands(mc->n_bands, mc->bands, msg); - reply->length = htons(msg->size - start_ofs); + reply = ofpbuf_at_assert(msg, start_ofs, sizeof *reply); + + reply->length= htons(msg->size - start_ofs); + reply->flags = htons(mc->flags); + reply->meter_id = htonl(mc->meter_id);