ofp-meter: Fix use-after-free for decoding meter mods.

ofputil_pull_bands() may change bands->data. Found by libfuzzer-ngram. Reported-by: Bhargava Shastry <bshastry@sect.tu-berlin.de> Signed-off-by: Ben Pfaff <blp@ovn.org> Reviewed-by: Yifeng Sun<pkusunyifeng@gmail.com>
openvswitch · Feb 16, 2018 · f45e528 · f45e528
1 parent 17f51c6
commit f45e528
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/lib/ofp-util.c b/lib/ofp-util.c
@@ -1863,12 +1863,12 @@ ofputil_decode_meter_mod(const struct ofp_header *oh,
             mm->meter.flags & OFPMF13_PKTPS) {
             return OFPERR_OFPMMFC_BAD_FLAGS;
         }
-        mm->meter.bands = bands->data;
 
         error = ofputil_pull_bands(&b, b.size, &mm->meter.n_bands, bands);
         if (error) {
             return error;
         }
+        mm->meter.bands = bands->data;
     }
     return 0;
 }