[ovs-dev] [PATCH 1/4] dpif-linux: Avoid null dereference if all ports disappear.

Ben Pfaff blp at nicira.com
Mon Jul 14 21:10:27 UTC 2014


When dpif_linux_refresh_channels() refreshes the set of channels when
the number of handlers changes, it destroys all the dpif's channels and
sets dpif->uc_array_size to 0.  If the port dump later in the function
turns up no ports (which generally indicates a bug), then no channels will
be allocated and thus dpif->uc_array_size will remain 0 and 'channels' will
be null in each handler.  This is self-consistent, at least, but
dpif_linux_port_get_pid__() was still willing in this situation to
try to access element 0 of the set of channels, dereferencing a null
pointer.

This fixes the problem.

I encountered this while looking at a bug that I had introduced during
development that caused the port dump to always be empty.  It would be
difficult to encounter in normal use.

Signed-off-by: Ben Pfaff <blp at nicira.com>
---
 lib/dpif-linux.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/dpif-linux.c b/lib/dpif-linux.c
index bc284ab..ba4294f 100644
--- a/lib/dpif-linux.c
+++ b/lib/dpif-linux.c
@@ -825,7 +825,7 @@ dpif_linux_port_get_pid__(const struct dpif_linux *dpif, odp_port_t port_no,
     uint32_t port_idx = odp_to_u32(port_no);
     uint32_t pid = 0;
 
-    if (dpif->handlers) {
+    if (dpif->handlers && dpif->uc_array_size > 0) {
         /* The ODPP_NONE "reserved" port number uses the "ovs-system"'s
          * channel, since it is not heavily loaded. */
         uint32_t idx = port_idx >= dpif->uc_array_size ? 0 : port_idx;
-- 
1.7.10.4




More information about the dev mailing list