flow: Fix wild pointer dereference in flow_compose().

The 'ip' variable in flow_compose() points to some memory allocated
in an ofpbuf.  The ofpbuf is modified without making the necessary
updates to the location of 'ip' causing a potential wild memory
access.

Found by inspection.

Signed-off-by: Ethan Jackson <ethan@nicira.com>

diff --git a/lib/flow.c b/lib/flow.c
index 6129703..59b5fb7 100644 (file)
--- a/lib/flow.c
+++ b/lib/flow.c
@@ -1065,6 +1065,7 @@ flow_compose(struct ofpbuf *b, const struct flow *flow)
             }
         }
 
+        ip = b->l3;
         ip->ip_tot_len = htons((uint8_t *) b->data + b->size
                                - (uint8_t *) b->l3);
     } else if (flow->dl_type == htons(ETH_TYPE_IPV6)) {