lflow: fix possible use-after-free in add_lb_vip_hairpin_reply_action

ofpbuf_put_zeros routine can rellocate the buffer if the requested size is bigger than buffer tailroom. Reload ol pointer before running ofpact_finish_LEARN in order to avoid a possible use-after-free in add_lb_vip_hairpin_reply_action routine. Fixes: 022ea33 ("lflow: Use learn() action to generate LB hairpin reply flows.") Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com> Acked-by: Dumitru Ceara <dceara@redhat.com> Signed-off-by: Numan Siddique <numans@ovn.org> (cherry picked from commit 25cb887)
ovn-org · Jul 19, 2022 · 6e5dc3f · 6e5dc3f
1 parent d13d1ab
commit 6e5dc3f
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/controller/lflow.c b/controller/lflow.c
@@ -1745,6 +1745,7 @@ add_lb_vip_hairpin_reply_action(struct in6_addr *vip6, ovs_be32 vip,
                                 uint64_t cookie, struct ofpbuf *ofpacts)
 {
     struct match match = MATCH_CATCHALL_INITIALIZER;
+    size_t ol_offset = ofpacts->size;
     struct ofpact_learn *ol = ofpact_put_LEARN(ofpacts);
     struct ofpact_learn_spec *ol_spec;
     unsigned int imm_bytes;
@@ -1898,6 +1899,8 @@ add_lb_vip_hairpin_reply_action(struct in6_addr *vip6, ovs_be32 vip,
     src_imm = ofpbuf_put_zeros(ofpacts, OFPACT_ALIGN(imm_bytes));
     memcpy(src_imm, &imm_reg_value, imm_bytes);
 
+    /* Reload ol pointer since ofpacts buffer can be reallocated. */
+    ol = ofpbuf_at_assert(ofpacts, ol_offset, sizeof *ol);
     ofpact_finish_LEARN(ofpacts, &ol);
 }