[ovs-dev] [PATCH 1/3] dpif-netdev: Fix use-after-free in port_unref().
Ben Pfaff
blp at nicira.com
Wed May 21 00:11:24 UTC 2014
When the last rxq is closed (which releases the rxq's internal reference
to its netdev) the next call to netdev_n_rxq() accesses freed memory.
Found by valgrind.
Signed-off-by: Ben Pfaff <blp at nicira.com>
Reported-by: Jarno Rajahalme <jrajahalme at nicira.com>
---
lib/dpif-netdev.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/lib/dpif-netdev.c b/lib/dpif-netdev.c
index 0becd03..a2e3308 100644
--- a/lib/dpif-netdev.c
+++ b/lib/dpif-netdev.c
@@ -811,12 +811,14 @@ static void
port_unref(struct dp_netdev_port *port)
{
if (port && ovs_refcount_unref(&port->ref_cnt) == 1) {
+ int n_rxq;
int i;
netdev_close(port->netdev);
netdev_restore_flags(port->sf);
- for (i = 0; i < netdev_n_rxq(port->netdev); i++) {
+ n_rxq = netdev_n_rxq(port->netdev);
+ for (i = 0; i < n_rxq; i++) {
netdev_rxq_close(port->rxq[i]);
}
free(port->type);
--
1.7.10.4
More information about the dev
mailing list