[ovs-dev] [PATCH] ofproto: Fix use after free in ofoperation_complete().

Ben Pfaff blp at nicira.com
Thu Jun 7 23:41:25 UTC 2012


I agree.  Thanks, Ethan!

On Thu, Jun 07, 2012 at 01:13:00PM -0700, Justin Pettit wrote:
> Nice catch.  Thanks.
> 
> --Justin
> 
> 
> On Jun 7, 2012, at 1:08 PM, Ethan Jackson wrote:
> 
> > In one edge case, ofoperation_complete() destroys its rule, without
> > updating its ofoperation that the rule is gone.  Later in the same
> > function, ofoperation_destroy() attempts to modify the rule which
> > already destroyed.
> > 
> > Signed-off-by: Ethan Jackson <ethan at nicira.com>
> > ---
> > ofproto/ofproto.c |    1 +
> > 1 file changed, 1 insertion(+)
> > 
> > diff --git a/ofproto/ofproto.c b/ofproto/ofproto.c
> > index 0c24314..eed0458 100644
> > --- a/ofproto/ofproto.c
> > +++ b/ofproto/ofproto.c
> > @@ -3617,6 +3617,7 @@ ofoperation_complete(struct ofoperation *op, enum ofperr error)
> >         } else {
> >             oftable_substitute_rule(rule, op->victim);
> >             ofproto_rule_destroy__(rule);
> > +            op->rule = NULL;
> >         }
> >         break;
> > 
> > -- 
> > 1.7.10.2
> > 
> > _______________________________________________
> > dev mailing list
> > dev at openvswitch.org
> > http://openvswitch.org/mailman/listinfo/dev
> 
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev



More information about the dev mailing list