ofproto-dpif: Fix use-after-free for OFPP_CONTROLLER flows.

ofproto-dpif: Fix use-after-free for OFPP_CONTROLLER flows.

When a flow consists solely of an output to OFPP_CONTROLLER, we avoid a
round trip to the kernel and back by calling execute_controller_action()
from handle_flow_miss().  However, execute_controller_action() frees the
packet passed in.  This is dangerous, because the packet and the upcall
key are in the same block of malloc()'d memory, as the comment on struct
dpif_upcall says:

/* A packet passed up from the datapath to userspace.
 *
 * If 'key' or 'actions' is nonnull, then it points into data owned by
 * 'packet', so their memory cannot be freed separately.  (This is hardly a
 * great way to do things but it works out OK for the dpif providers and
 * clients that exist so far.)
 */

Thus, we get a use-after-free later on in handle_flow_miss() and eventually
a double free.

This fixes the problem by making execute_controller_action() clone the
packet in this case.

Signed-off-by: Ben Pfaff <blp@nicira.com>