diff options
| author | Sriharsha Basavapatna <sriharsha.basavapatna@broadcom.com> | 2021-08-12 12:03:33 +0530 |
|---|---|---|
| committer | Ilya Maximets <i.maximets@ovn.org> | 2021-08-16 19:22:35 +0200 |
| commit | d3776e354cff3b8c8eced49a9d30c24316e4ff5a (patch) | |
| tree | e276c1a2450235b95fe0a53f22283b40d0118687 | |
| parent | f7e3b47e09af7aa77c922fdb70ff0bb39551671b (diff) | |
| download | openvswitch-d3776e354cff3b8c8eced49a9d30c24316e4ff5a.tar.gz | |
dynamic-string: Fix a crash in ds_clone().
ds_clone() crashes while trying to clone an empty dynamic string.
It happens because it doesn't check if memory was allocated and
tries to read from the NULL pointer. ds_init() doesn't allocate
any memory.
For example:
In netdev_offload_dpdk_flow_create() when an offload request fails,
dump_flow() is called to log a warning message. The 's_tnl' string
in flow_patterns gets initialized in vport_to_rte_tunnel() conditionally
via ds_put_format(). If it is not initialized, it crashes later in
dump_flow_attr()->ds_clone()->memcpy() while dereferencing this string.
To fix this, check if memory for the src string has been allocated,
before copying it to the dst string.
Fixes: fa44a4a3ff7b ("ovn-controller: Persist desired conntrack groups.")
Signed-off-by: Sriharsha Basavapatna <sriharsha.basavapatna@broadcom.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
| -rw-r--r-- | lib/dynamic-string.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/lib/dynamic-string.c b/lib/dynamic-string.c index 6f7b610a9..fd0127ed1 100644 --- a/lib/dynamic-string.c +++ b/lib/dynamic-string.c @@ -460,6 +460,10 @@ ds_chomp(struct ds *ds, int c) void ds_clone(struct ds *dst, struct ds *source) { + if (!source->allocated) { + ds_init(dst); + return; + } dst->length = source->length; dst->allocated = dst->length; dst->string = xmalloc(dst->allocated + 1); |