[ovs-dev] [PATCH] ofproto: Fix use after free in ofoperation_complete().

Justin Pettit jpettit at nicira.com
Thu Jun 7 20:13:00 UTC 2012


Nice catch.  Thanks.

--Justin


On Jun 7, 2012, at 1:08 PM, Ethan Jackson wrote:

> In one edge case, ofoperation_complete() destroys its rule, without
> updating its ofoperation that the rule is gone.  Later in the same
> function, ofoperation_destroy() attempts to modify the rule which
> already destroyed.
> 
> Signed-off-by: Ethan Jackson <ethan at nicira.com>
> ---
> ofproto/ofproto.c |    1 +
> 1 file changed, 1 insertion(+)
> 
> diff --git a/ofproto/ofproto.c b/ofproto/ofproto.c
> index 0c24314..eed0458 100644
> --- a/ofproto/ofproto.c
> +++ b/ofproto/ofproto.c
> @@ -3617,6 +3617,7 @@ ofoperation_complete(struct ofoperation *op, enum ofperr error)
>         } else {
>             oftable_substitute_rule(rule, op->victim);
>             ofproto_rule_destroy__(rule);
> +            op->rule = NULL;
>         }
>         break;
> 
> -- 
> 1.7.10.2
> 
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev




More information about the dev mailing list