[ovs-dev] [PATCH] ofproto-dpif-upcall: Avoid use-after-free in revalidate() corner cases.

Ben Pfaff blp at nicira.com
Thu May 15 23:02:48 UTC 2014


Thank you.  I applied this to master and the branches for 2.2 and
2.3.  (Earlier branches did not have the problem.)

On Fri, May 16, 2014 at 10:49:53AM +1200, Joe Stringer wrote:
> Acked-by: Joe Stringer <joestringer at nicira.com>
> 
> 
> On 16 May 2014 10:36, Ben Pfaff <blp at nicira.com> wrote:
> 
> > The loop in revalidate() needs to ensure that any data obtained from
> > dpif_flow_dump_next() is used before it is destroyed, as indicated by
> > dpif_flow_dump_next_may_destroy_keys().  In the common case, where
> > processing reaches the end of the main "while" loop, it does this, but
> > in two corner cases the code in the loop execute "continue;", which skipped
> > the check.  This commit fixes the problem.
> >
> > Bug #1249988.
> > Signed-off-by: Ben Pfaff <blp at nicira.com>
> > ---
> >  ofproto/ofproto-dpif-upcall.c |    5 +++--
> >  1 file changed, 3 insertions(+), 2 deletions(-)
> >
> > diff --git a/ofproto/ofproto-dpif-upcall.c b/ofproto/ofproto-dpif-upcall.c
> > index e1117ba..f15e916 100644
> > --- a/ofproto/ofproto-dpif-upcall.c
> > +++ b/ofproto/ofproto-dpif-upcall.c
> > @@ -1470,7 +1470,7 @@ revalidate(struct revalidator *revalidator)
> >                   * flow this time. */
> >                  ovs_mutex_unlock(&ukey->mutex);
> >                  COVERAGE_INC(upcall_duplicate_flow);
> > -                continue;
> > +                goto next;
> >              }
> >
> >              used = ukey->created;
> > @@ -1493,7 +1493,7 @@ revalidate(struct revalidator *revalidator)
> >                       * another revalidator is processing this flow
> >                       * concurrently, so don't bother processing it. */
> >                      ukey_delete(NULL, ukey);
> > -                    continue;
> > +                    goto next;
> >                  }
> >              }
> >
> > @@ -1511,6 +1511,7 @@ revalidate(struct revalidator *revalidator)
> >              dump_op_init(&ops[n_ops++], key, key_len, ukey);
> >          }
> >
> > +    next:
> >          may_destroy = dpif_flow_dump_next_may_destroy_keys(&udpif->dump,
> >                                                             state);
> >
> > --
> > 1.7.10.4
> >
> > _______________________________________________
> > dev mailing list
> > dev at openvswitch.org
> > http://openvswitch.org/mailman/listinfo/dev
> >



More information about the dev mailing list