From c824c8a39854199a4221256281b1322cfae33469 Mon Sep 17 00:00:00 2001
From: Ben Pfaff <blp@nicira.com>
Date: Fri, 21 Sep 2012 11:12:39 -0700
Subject: [PATCH] ovsdb-server: Fix null pointer deref when bool "is_connected"
 is empty.

The ovsdb-server supports obtaining its remote connection targets from a
database table and updating that table with connection status information.
One of the supported connection status columns is a boolean column named
"is_connected".  The code in ovsdb-server blindly assigned a bool into
this column without checking that it actually had space allocated for one.
This was and is fine with the ovs-vswitchd schema, which always has exactly
one value in this column.  However, if a database schema makes this column
optional, and there are actually no values in it, then this assignment
dereferences a null pointer.

This commit fixes the problem by allocating space for a bool if none has
yet been allocated.

Noticed while adding an extra test for the connection status feature.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Ethan Jackson <ethan@nicira.com>
---
 ovsdb/ovsdb-server.c | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/ovsdb/ovsdb-server.c b/ovsdb/ovsdb-server.c
index 1bf10d9b4..32e2eb02f 100644
--- a/ovsdb/ovsdb-server.c
+++ b/ovsdb/ovsdb-server.c
@@ -404,12 +404,24 @@ read_string_column(const struct ovsdb_row *row, const char *column_name,
 static void
 write_bool_column(struct ovsdb_row *row, const char *column_name, bool value)
 {
-    struct ovsdb_datum *datum = get_datum(row, column_name, OVSDB_TYPE_BOOLEAN,
-                                          OVSDB_TYPE_VOID, 1);
+    const struct ovsdb_column *column;
+    struct ovsdb_datum *datum;
 
+    column = ovsdb_table_schema_get_column(row->table->schema, column_name);
+    datum = get_datum(row, column_name, OVSDB_TYPE_BOOLEAN,
+                      OVSDB_TYPE_VOID, 1);
     if (!datum) {
         return;
     }
+
+    if (datum->n != 1) {
+        ovsdb_datum_destroy(datum, &column->type);
+
+        datum->n = 1;
+        datum->keys = xmalloc(sizeof *datum->keys);
+        datum->values = NULL;
+    }
+
     datum->keys[0].boolean = value;
 }
 
-- 
2.47.0