[ovs-dev] [PATCH 1/3] dpif-netdev: Fix use-after-free in port_unref().

Ben Pfaff blp at nicira.com
Wed May 21 00:11:24 UTC 2014


When the last rxq is closed (which releases the rxq's internal reference
to its netdev) the next call to netdev_n_rxq() accesses freed memory.

Found by valgrind.

Signed-off-by: Ben Pfaff <blp at nicira.com>
Reported-by: Jarno Rajahalme <jrajahalme at nicira.com>
---
 lib/dpif-netdev.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/dpif-netdev.c b/lib/dpif-netdev.c
index 0becd03..a2e3308 100644
--- a/lib/dpif-netdev.c
+++ b/lib/dpif-netdev.c
@@ -811,12 +811,14 @@ static void
 port_unref(struct dp_netdev_port *port)
 {
     if (port && ovs_refcount_unref(&port->ref_cnt) == 1) {
+        int n_rxq;
         int i;
 
         netdev_close(port->netdev);
         netdev_restore_flags(port->sf);
 
-        for (i = 0; i < netdev_n_rxq(port->netdev); i++) {
+        n_rxq = netdev_n_rxq(port->netdev);
+        for (i = 0; i < n_rxq; i++) {
             netdev_rxq_close(port->rxq[i]);
         }
         free(port->type);
-- 
1.7.10.4




More information about the dev mailing list