[ovs-dev] [valgrind 2/5] dpif-netdev: Fix another use-after-free in port_unref().

Ben Pfaff blp at nicira.com
Thu Jun 5 00:07:35 UTC 2014


Commit 87400a3d4cc4a (dpif-netdev: Fix use-after-free in port_unref().)
fixed one use-after-free in the common case of port_unref().  However,
there was another, similar case: if port->netdev has no rxqs, then
the netdev_close() causes port->netdev to be destroyed and thus the
following call to netdev_n_rxq() accesses freed memory.  This commit fixes
the problem.

Found by valgrind.

Signed-off-by: Ben Pfaff <blp at nicira.com>
---
 lib/dpif-netdev.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/lib/dpif-netdev.c b/lib/dpif-netdev.c
index 91c83d6..112ebb1 100644
--- a/lib/dpif-netdev.c
+++ b/lib/dpif-netdev.c
@@ -820,13 +820,12 @@ port_ref(struct dp_netdev_port *port)
 static void
 port_destroy__(struct dp_netdev_port *port)
 {
-    int n_rxq;
+    int n_rxq = netdev_n_rxq(port->netdev);
     int i;
 
     netdev_close(port->netdev);
     netdev_restore_flags(port->sf);
 
-    n_rxq = netdev_n_rxq(port->netdev);
     for (i = 0; i < n_rxq; i++) {
         netdev_rxq_close(port->rxq[i]);
     }
-- 
1.7.10.4




More information about the dev mailing list