Re: [ovs-dev] [PATCH] ofp-actions: Fix use-after-free in decode_NOTE.

On 28 April 2016 at 18:29, Ansis Atteka wrote: > On 28 April 2016 at 14:13, Joe Stringer wrote: >> When decoding the 'note' action, variable-length data could be pushed to >> a buffer immediately prior to calling ofpact_finish_NOTE(). The >> ofpbuf_put()

Re: [ovs-dev] [PATCH] ofp-actions: Fix use-after-free in decode_NOTE.

On 29 April 2016 at 09:53, William Tu wrote: > Looks good to me. > >> I had to stop and think a little bit about the ofpact_finish() >> function's API. It gives freedom to its caller to specify whatever it >> wants as second 'ofpact' argument. However, at the end of the day >>

Re: [ovs-dev] [PATCH] ofp-actions: Fix use-after-free in decode_NOTE.

Looks good to me. I had to stop and think a little bit about the ofpact_finish() > function's API. It gives freedom to its caller to specify whatever it > wants as second 'ofpact' argument. However, at the end of the day > ofpact_finish() asserts if second argument value does not match to the >

Re: [ovs-dev] [PATCH] ofp-actions: Fix use-after-free in decode_NOTE.

On 28 April 2016 at 14:13, Joe Stringer wrote: > When decoding the 'note' action, variable-length data could be pushed to > a buffer immediately prior to calling ofpact_finish_NOTE(). The > ofpbuf_put() could cause reallocation, in which case the finish call > could access freed

[ovs-dev] [PATCH] ofp-actions: Fix use-after-free in decode_NOTE.

When decoding the 'note' action, variable-length data could be pushed to a buffer immediately prior to calling ofpact_finish_NOTE(). The ofpbuf_put() could cause reallocation, in which case the finish call could access freed memory. Fix the issue by updating the local pointer before passing it to