From f45e528e1698d50a2885df9947cee48644eedb53 Mon Sep 17 00:00:00 2001
From: Ben Pfaff <blp@ovn.org>
Date: Wed, 14 Feb 2018 14:36:47 -0800
Subject: [PATCH] ofp-meter: Fix use-after-free for decoding meter mods.

ofputil_pull_bands() may change bands->data.

Found by libfuzzer-ngram.

Reported-by: Bhargava Shastry <bshastry@sect.tu-berlin.de>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Reviewed-by: Yifeng Sun<pkusunyifeng@gmail.com>
---
 lib/ofp-util.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/ofp-util.c b/lib/ofp-util.c
index 0d4dfb27e51..1a2a646ad7f 100644
--- a/lib/ofp-util.c
+++ b/lib/ofp-util.c
@@ -1863,12 +1863,12 @@ ofputil_decode_meter_mod(const struct ofp_header *oh,
             mm->meter.flags & OFPMF13_PKTPS) {
             return OFPERR_OFPMMFC_BAD_FLAGS;
         }
-        mm->meter.bands = bands->data;
 
         error = ofputil_pull_bands(&b, b.size, &mm->meter.n_bands, bands);
         if (error) {
             return error;
         }
+        mm->meter.bands = bands->data;
     }
     return 0;
 }