diff options
| author | Pravin B Shelar <pshelar@nicira.com> | 2014-07-25 16:22:46 -0700 |
|---|---|---|
| committer | Pravin B Shelar <pshelar@nicira.com> | 2014-07-25 16:37:32 -0700 |
| commit | 02386a4c5c67b5e8f946a02b8773244d024a1cc5 (patch) | |
| tree | a8dc5f1ab41d06a83ea9549298ae646f60b64f1d | |
| parent | 6b31e07347ad28db9031cc00efbc30a553653517 (diff) | |
| download | openvswitch-02386a4c5c67b5e8f946a02b8773244d024a1cc5.tar.gz | |
datapath: Fix buffer overrun in mask array realloc.
mask realloc copies elements from old array to new array. When
shrinking array it can go beyond allocated memory.
Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
Acked-by: Andy Zhou <azhou@nicira.com>
| -rw-r--r-- | datapath/flow_table.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/datapath/flow_table.c b/datapath/flow_table.c index 765930e01..21f67bffb 100644 --- a/datapath/flow_table.c +++ b/datapath/flow_table.c @@ -247,9 +247,10 @@ static int tbl_mask_array_realloc(struct flow_table *tbl, int size) if (old) { int i; - for (i = 0; i < old->max; i++) + for (i = 0; i < min(old->max, new->max); i++) new->masks[i] = old->masks[i]; + BUG_ON(old->count > new->max); new->count = old->count; } rcu_assign_pointer(tbl->mask_array, new); |