ofpbuf: Fix arithmetic error in ofpbuf_insert().

memmove byte count was calculated incorrectly as ofpbuf_put_uninit is increasing b->size by n. This patch fixes it by reducing byte count by n. Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12296 Signed-off-by: Toms Atteka <cpp.code.lv@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
openvswitch · Jan 18, 2019 · 39976b9 · 39976b9
1 parent b48aa14
commit 39976b9
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/lib/ofpbuf.c b/lib/ofpbuf.c
@@ -469,9 +469,9 @@ void
 ofpbuf_insert(struct ofpbuf *b, size_t offset, const void *data, size_t n)
 {
     if (offset < b->size) {
-        ofpbuf_put_uninit(b, n);
+        ofpbuf_put_uninit(b, n); /* b->size gets increased. */
         memmove((char *) b->data + offset + n, (char *) b->data + offset,
-                b->size - offset);
+                b->size - offset - n);
         memcpy((char *) b->data + offset, data, n);
     } else {
         ovs_assert(offset == b->size);