Found by libFuzzer.
Reported-by: Bhargava Shastry <bshas...@sec.t-labs.tu-berlin.de>
Signed-off-by: Ben Pfaff <b...@ovn.org>
---
lib/ofp-util.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/lib/ofp-util.c b/lib/ofp-util.c
index 2309a2ad2515..16c4f191a340 100644
--- a/lib/ofp-util.c
+++ b/lib/ofp-util.c
@@ -9581,8 +9581,13 @@ ofputil_decode_ofp15_group_desc_reply(struct
ofputil_group_desc *gd,
* Such properties are valid for group desc replies so
* claim that the group mod command is OFPGC15_ADD to
* satisfy the check in parse_group_prop_ntr_selection_method() */
- return parse_ofp15_group_properties(msg, gd->type, OFPGC15_ADD, &gd->props,
- length - sizeof *ogds -
bucket_list_len);
+ error = parse_ofp15_group_properties(
+ msg, gd->type, OFPGC15_ADD, &gd->props,
+ length - sizeof *ogds - bucket_list_len);
+ if (error) {
+ ofputil_bucket_list_destroy(&gd->buckets);
+ }
+ return error;
}
/* Converts a group description reply in 'msg' into an abstract
@@ -9881,8 +9886,12 @@ ofputil_pull_ofp15_group_mod(struct ofpbuf *msg, enum
ofp_version ofp_version,
return error;
}
- return parse_ofp15_group_properties(msg, gm->type, gm->command, &gm->props,
- msg->size);
+ error = parse_ofp15_group_properties(msg, gm->type, gm->command,
+ &gm->props, msg->size);
+ if (error) {
+ ofputil_bucket_list_destroy(&gm->buckets);
+ }
+ return error;
}
static enum ofperr
--
2.10.2
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
