From: Simon Horman <horms@verge.net.au>
Date: Mon, 3 Jun 2013 05:46:30 +0000 (+0900)
Subject: Always use valid ids pointer in dec_ttl_cnt_ids_from_openflow()
X-Git-Tag: sliver-openvswitch-1.10.90-3~6^2~176
X-Git-Url: http://git.onelab.eu/?a=commitdiff_plain;ds=sidebyside;h=e655542cf3cc10f14651fb237582ac7e55683e88;p=sliver-openvswitch.git

Always use valid ids pointer in dec_ttl_cnt_ids_from_openflow()

Always update the ids pointer after calling ofpbuf_put()
to ensure that it is valid when accessed.

During testing a case came up where the call to ofpbuf_put() in the
for (i = 0; i < ids->n_controllers; i++) loop would cause the underlying
buffer to be reallocated. This resulted in ids->n_controllers being an
incorrect value, the loop continuing on longer than desired and finally a
segmentation fault.

Reported-by: Joe Stringer <joe@wand.net.nz>
Signed-off-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Ben Pfaff <blp@nicira.com>
---

diff --git a/lib/ofp-actions.c b/lib/ofp-actions.c
index 026a376d9..c98e29a63 100644
--- a/lib/ofp-actions.c
+++ b/lib/ofp-actions.c
@@ -209,9 +209,9 @@ dec_ttl_cnt_ids_from_openflow(const struct nx_action_cnt_ids *nac_ids,
     for (i = 0; i < ids->n_controllers; i++) {
         uint16_t id = ntohs(((ovs_be16 *)(nac_ids + 1))[i]);
         ofpbuf_put(out, &id, sizeof id);
+        ids = out->l2;
     }
 
-    ids = out->l2;
     ofpact_update_len(out, &ids->ofpact);
 
     return 0;