ovs-ofctl: Fix use-after-free error in del-flows command.

author Jean Tourrilhes <jt@hpl.hp.com>

Wed, 4 Nov 2009 21:21:07 +0000 (13:21 -0800)

committer Justin Pettit <jpettit@nicira.com>

Wed, 4 Nov 2009 21:21:07 +0000 (13:21 -0800)
author Jean Tourrilhes <jt@hpl.hp.com>
Wed, 4 Nov 2009 21:21:07 +0000 (13:21 -0800)
committer Justin Pettit <jpettit@nicira.com>
Wed, 4 Nov 2009 21:21:07 +0000 (13:21 -0800)
diff --git a/utilities/ovs-ofctl.c b/utilities/ovs-ofctl.c

index 7611415..9efd484 100644 (file)
--- a/utilities/ovs-ofctl.c
+++ b/utilities/ovs-ofctl.c
@@ -948,11 +948,15 @@ static void do_del_flows(const struct settings *s, int argc, char *argv[])
      uint16_t out_port;
      struct ofpbuf *buffer;
      struct ofp_flow_mod *ofm;
+    struct ofp_match match;
  
-    /* Parse and send. */
-    ofm = make_openflow(sizeof *ofm, OFPT_FLOW_MOD, &buffer);
-    str_to_flow(argc > 2 ? argv[2] : "", &ofm->match, NULL, NULL, 
-                &out_port, &priority, NULL, NULL);
+    /* Parse and send.  str_to_flow() will expand and reallocate the data in
+     * 'buffer', so we can't keep pointers to across the str_to_flow() call. */
+    make_openflow(sizeof *ofm, OFPT_FLOW_MOD, &buffer);
+    str_to_flow(argc > 2 ? argv[2] : "", &match, buffer, 
+                NULL, &out_port, &priority, NULL, NULL);
+    ofm = buffer->data;
+    ofm->match = match;
      if (s->strict) {
          ofm->command = htons(OFPFC_DELETE_STRICT);
      } else {
author	Jean Tourrilhes <jt@hpl.hp.com>
	Wed, 4 Nov 2009 21:21:07 +0000 (13:21 -0800)
committer	Justin Pettit <jpettit@nicira.com>
	Wed, 4 Nov 2009 21:21:07 +0000 (13:21 -0800)