ofpbuf_put_zeros routine can rellocate the buffer if the requested size
is bigger than buffer tailroom. Reload ol pointer before running
ofpact_finish_LEARN in order to avoid a possible use-after-free in
add_lb_vip_hairpin_reply_action routine.
Fixes: 022ea339c8 ("lflow: Use learn() action to generate LB hairpin reply
flows.")
Signed-off-by: Lorenzo Bianconi <[email protected]>
---
Changes since v1:
- rely on ofpbuf_at_assert in order to not overwrite possible former actions
---
controller/lflow.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/controller/lflow.c b/controller/lflow.c
index 934b23698..6055097b5 100644
--- a/controller/lflow.c
+++ b/controller/lflow.c
@@ -1775,6 +1775,7 @@ add_lb_vip_hairpin_reply_action(struct in6_addr *vip6,
ovs_be32 vip,
uint64_t cookie, struct ofpbuf *ofpacts)
{
struct match match = MATCH_CATCHALL_INITIALIZER;
+ size_t ol_offset = ofpacts->size;
struct ofpact_learn *ol = ofpact_put_LEARN(ofpacts);
struct ofpact_learn_spec *ol_spec;
unsigned int imm_bytes;
@@ -1928,6 +1929,8 @@ add_lb_vip_hairpin_reply_action(struct in6_addr *vip6,
ovs_be32 vip,
src_imm = ofpbuf_put_zeros(ofpacts, OFPACT_ALIGN(imm_bytes));
memcpy(src_imm, &imm_reg_value, imm_bytes);
+ /* Reload ol pointer since ofpacts buffer can be reallocated. */
+ ol = ofpbuf_at_assert(ofpacts, ol_offset, sizeof *ol);
ofpact_finish_LEARN(ofpacts, &ol);
}
--
2.36.1
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
