[ovs-dev] [PATCH] ofproto: Fix use after free in ofoperation_complete().
Ethan Jackson
ethan at nicira.com
Thu Jun 7 20:08:05 UTC 2012
In one edge case, ofoperation_complete() destroys its rule, without
updating its ofoperation that the rule is gone. Later in the same
function, ofoperation_destroy() attempts to modify the rule which
already destroyed.
Signed-off-by: Ethan Jackson <ethan at nicira.com>
---
ofproto/ofproto.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/ofproto/ofproto.c b/ofproto/ofproto.c
index 0c24314..eed0458 100644
--- a/ofproto/ofproto.c
+++ b/ofproto/ofproto.c
@@ -3617,6 +3617,7 @@ ofoperation_complete(struct ofoperation *op, enum ofperr error)
} else {
oftable_substitute_rule(rule, op->victim);
ofproto_rule_destroy__(rule);
+ op->rule = NULL;
}
break;
--
1.7.10.2
More information about the dev
mailing list