[ovs-dev] [PATCH 1/3] dpif-netdev: Fix use-after-free in port_unref().

Jarno Rajahalme jrajahalme at nicira.com
Wed May 21 19:42:29 UTC 2014


Acked-by: Jarno Rajahalme <jrajahalme at nicira.com>

On May 20, 2014, at 5:11 PM, Ben Pfaff <blp at nicira.com> wrote:

> When the last rxq is closed (which releases the rxq's internal reference
> to its netdev) the next call to netdev_n_rxq() accesses freed memory.
> 
> Found by valgrind.
> 
> Signed-off-by: Ben Pfaff <blp at nicira.com>
> Reported-by: Jarno Rajahalme <jrajahalme at nicira.com>
> ---
> lib/dpif-netdev.c |    4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/lib/dpif-netdev.c b/lib/dpif-netdev.c
> index 0becd03..a2e3308 100644
> --- a/lib/dpif-netdev.c
> +++ b/lib/dpif-netdev.c
> @@ -811,12 +811,14 @@ static void
> port_unref(struct dp_netdev_port *port)
> {
>     if (port && ovs_refcount_unref(&port->ref_cnt) == 1) {
> +        int n_rxq;
>         int i;
> 
>         netdev_close(port->netdev);
>         netdev_restore_flags(port->sf);
> 
> -        for (i = 0; i < netdev_n_rxq(port->netdev); i++) {
> +        n_rxq = netdev_n_rxq(port->netdev);
> +        for (i = 0; i < n_rxq; i++) {
>             netdev_rxq_close(port->rxq[i]);
>         }
>         free(port->type);
> -- 
> 1.7.10.4
> 




More information about the dev mailing list