Re: [ovs-dev] [PATCH] nx-match: Fix use-after-free parsing matches.

2016-03-29 Thread Joe Stringer
On 23 March 2016 at 06:41, Ben Pfaff wrote: > On Mon, Mar 07, 2016 at 11:31:02AM -0800, Joe Stringer wrote: >> Address pointed by header_ptr might be free'd due to realloc >> happened in ofpbuf_put_hex(). Reported by valgrind in the test >> 379: check TCP flags expression in OXM and

Re: [ovs-dev] [PATCH] nx-match: Fix use-after-free parsing matches.

2016-03-22 Thread Ben Pfaff
On Mon, Mar 07, 2016 at 11:31:02AM -0800, Joe Stringer wrote: > Address pointed by header_ptr might be free'd due to realloc > happened in ofpbuf_put_hex(). Reported by valgrind in the test > 379: check TCP flags expression in OXM and NXM. > > Invalid write of size 4 >

Re: [ovs-dev] [PATCH] nx-match: Fix use-after-free parsing matches.

2016-03-07 Thread William Tu
Hi Joe, I've tested this patch (with modification to ofpbuf_put to force using newly allocated address) and it works fine. Thanks! Regards, William On Mon, Mar 7, 2016 at 11:31 AM, Joe Stringer wrote: > Address pointed by header_ptr might be free'd due to realloc > happened in

Re: [ovs-dev] [PATCH] nx-match: Fix use-after-free.

2016-03-07 Thread Joe Stringer
On 4 March 2016 at 17:35, William Tu wrote: > Address pointed by header_ptr might be free'd due to realloc > happened at ofpbuf_put_uninit() and ofpbuf_put_hex(). Reported > by valgrind 379: check TCP flags expression in OXM and NXM. > > Invalid write of size 4 >

[ovs-dev] [PATCH] nx-match: Fix use-after-free parsing matches.

2016-03-07 Thread Joe Stringer
Address pointed by header_ptr might be free'd due to realloc happened in ofpbuf_put_hex(). Reported by valgrind in the test 379: check TCP flags expression in OXM and NXM. Invalid write of size 4 nx_match_from_string_raw (nx-match.c:1510) nx_match_from_string (nx-match.c:1538)

Re: [ovs-dev] [PATCH] nx-match: Fix use-after-free.

2016-03-07 Thread William Tu
Hi Jarno, Thanks for the feedback. I forgot to mention that this issue is found by changing the ofpbuf code to make each put reallocate the memory. I patched the code with: --- a/lib/ofpbuf.c +++ b/lib/ofpbuf.c @@ -383,6 +383,7 @@ ofpbuf_put_zeros(struct ofpbuf *b, size_t size) void *

Re: [ovs-dev] [PATCH] nx-match: Fix use-after-free.

2016-03-07 Thread Jarno Rajahalme
It might be super slow, but how about running the test suite with valgrind and ofpbuf code changed so that each put reallocates the memory? That way we would not have to be lucky about the timing/placement of reallocations to find these bugs? Jarno > On Mar 4, 2016, at 5:35 PM, William Tu

[ovs-dev] [PATCH] nx-match: Fix use-after-free.

2016-03-04 Thread William Tu
Address pointed by header_ptr might be free'd due to realloc happened at ofpbuf_put_uninit() and ofpbuf_put_hex(). Reported by valgrind 379: check TCP flags expression in OXM and NXM. Invalid write of size 4 nx_match_from_string_raw (nx-match.c:1510) nx_match_from_string (nx-match.c:1538)