dynamic-string: Fix a crash in ds_clone().

ds_clone() crashes while trying to clone an empty dynamic string. It happens because it doesn't check if memory was allocated and tries to read from the NULL pointer. ds_init() doesn't allocate any memory. For example: In netdev_offload_dpdk_flow_create() when an offload request fails, dump_flow() is called to log a warning message. The 's_tnl' string in flow_patterns gets initialized in vport_to_rte_tunnel() conditionally via ds_put_format(). If it is not initialized, it crashes later in dump_flow_attr()->ds_clone()->memcpy() while dereferencing this string. To fix this, check if memory for the src string has been allocated, before copying it to the dst string. Fixes: fa44a4a ("ovn-controller: Persist desired conntrack groups.") Signed-off-by: Sriharsha Basavapatna <sriharsha.basavapatna@broadcom.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
openvswitch · Aug 16, 2021 · 3e29c98 · 3e29c98
1 parent 8025437
commit 3e29c98
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/lib/dynamic-string.c b/lib/dynamic-string.c
@@ -460,6 +460,10 @@ ds_chomp(struct ds *ds, int c)
 void
 ds_clone(struct ds *dst, struct ds *source)
 {
+    if (!source->allocated) {
+        ds_init(dst);
+        return;
+    }
     dst->length = source->length;
     dst->allocated = dst->length;
     dst->string = xmalloc(dst->allocated + 1);