[ovs-dev] [PATCH] ofproto-dpif-upcall: Avoid use-after-free in revalidate() corner cases.

Joe Stringer joestringer at nicira.com
Thu May 15 22:49:53 UTC 2014


Acked-by: Joe Stringer <joestringer at nicira.com>


On 16 May 2014 10:36, Ben Pfaff <blp at nicira.com> wrote:

> The loop in revalidate() needs to ensure that any data obtained from
> dpif_flow_dump_next() is used before it is destroyed, as indicated by
> dpif_flow_dump_next_may_destroy_keys().  In the common case, where
> processing reaches the end of the main "while" loop, it does this, but
> in two corner cases the code in the loop execute "continue;", which skipped
> the check.  This commit fixes the problem.
>
> Bug #1249988.
> Signed-off-by: Ben Pfaff <blp at nicira.com>
> ---
>  ofproto/ofproto-dpif-upcall.c |    5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/ofproto/ofproto-dpif-upcall.c b/ofproto/ofproto-dpif-upcall.c
> index e1117ba..f15e916 100644
> --- a/ofproto/ofproto-dpif-upcall.c
> +++ b/ofproto/ofproto-dpif-upcall.c
> @@ -1470,7 +1470,7 @@ revalidate(struct revalidator *revalidator)
>                   * flow this time. */
>                  ovs_mutex_unlock(&ukey->mutex);
>                  COVERAGE_INC(upcall_duplicate_flow);
> -                continue;
> +                goto next;
>              }
>
>              used = ukey->created;
> @@ -1493,7 +1493,7 @@ revalidate(struct revalidator *revalidator)
>                       * another revalidator is processing this flow
>                       * concurrently, so don't bother processing it. */
>                      ukey_delete(NULL, ukey);
> -                    continue;
> +                    goto next;
>                  }
>              }
>
> @@ -1511,6 +1511,7 @@ revalidate(struct revalidator *revalidator)
>              dump_op_init(&ops[n_ops++], key, key_len, ukey);
>          }
>
> +    next:
>          may_destroy = dpif_flow_dump_next_may_destroy_keys(&udpif->dump,
>                                                             state);
>
> --
> 1.7.10.4
>
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-dev/attachments/20140516/c71198a1/attachment-0005.html>


More information about the dev mailing list