On Mon, Jul 20, 2015 at 8:17 AM, Ben Pfaff <b...@nicira.com> wrote: > On Mon, Jul 20, 2015 at 01:22:32AM -0700, Alex Wang wrote: > > Commit 6fd6ed7 (ofpbuf: Simplify ofpbuf API.) introduced the > > 'header' and 'msg' pointers to 'struct ofpbuf'. However, we > > forget to update the 'msg' pointer when resizing ofpbuf. > > > > This bug could cause serious issue. For example, in the function > > ofputil_encode_nx_packet_in(), the 'msg' pointer is populated in > > ofpraw_alloc_xid() when creating the ofpbuf . Later, the ofpbuf > > memory can be reallocated due to the writing to the ofpbuf. > > However, since the 'msg' pointer is not updated, the later use of > > the 'ofpbuf->msg' will end up writing to either free'ed memory or > > memory allocated for other struct. > > > > This commit fixes the bug by always updating the 'header' and > > 'msg' pointers when the ofpbuf is resized. Also, a simple test > > is added. > > > > Signed-off-by: Alex Wang <al...@nicira.com> > > Good catch! > > I don't understand the new comment on ofpbuf_trim(). ofpbuf_resize__() > will adjust the pointers automatically, won't it? >
There is one corner case I tested, assume we 'b = ofpbuf_new(100)' first, and then make 'b->header = b->base + 10', 'b->msg = b->base + 50', without actually putting anything to the buffer yet. Then, calling 'ofpbuf_trim(b)' will trim 'b' to an empty ofpbuf but with 'b->header' and 'b->msg' pointing invalid memory addresses. Dont think I can find any real implication. What do youthink? Thanks, Alex Wang > Acked-by: Ben Pfaff <b...@nicira.com> > _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
