[ovs-dev] [PATCH] ofproto-dpif-upcall: Avoid use-after-free in revalidate() corner cases.

Ben Pfaff blp at nicira.com
Thu May 15 22:36:13 UTC 2014


The loop in revalidate() needs to ensure that any data obtained from
dpif_flow_dump_next() is used before it is destroyed, as indicated by
dpif_flow_dump_next_may_destroy_keys().  In the common case, where
processing reaches the end of the main "while" loop, it does this, but
in two corner cases the code in the loop execute "continue;", which skipped
the check.  This commit fixes the problem.

Bug #1249988.
Signed-off-by: Ben Pfaff <blp at nicira.com>
---
 ofproto/ofproto-dpif-upcall.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/ofproto/ofproto-dpif-upcall.c b/ofproto/ofproto-dpif-upcall.c
index e1117ba..f15e916 100644
--- a/ofproto/ofproto-dpif-upcall.c
+++ b/ofproto/ofproto-dpif-upcall.c
@@ -1470,7 +1470,7 @@ revalidate(struct revalidator *revalidator)
                  * flow this time. */
                 ovs_mutex_unlock(&ukey->mutex);
                 COVERAGE_INC(upcall_duplicate_flow);
-                continue;
+                goto next;
             }
 
             used = ukey->created;
@@ -1493,7 +1493,7 @@ revalidate(struct revalidator *revalidator)
                      * another revalidator is processing this flow
                      * concurrently, so don't bother processing it. */
                     ukey_delete(NULL, ukey);
-                    continue;
+                    goto next;
                 }
             }
 
@@ -1511,6 +1511,7 @@ revalidate(struct revalidator *revalidator)
             dump_op_init(&ops[n_ops++], key, key_len, ukey);
         }
 
+    next:
         may_destroy = dpif_flow_dump_next_may_destroy_keys(&udpif->dump,
                                                            state);
 
-- 
1.7.10.4




More information about the dev mailing list