[ovs-dev] [PATCH] ofproto-dpif-upcall: Fix additional use-after-free in revalidate().
Ben Pfaff
blp at nicira.com
Wed May 21 22:52:39 UTC 2014
On Thu, May 22, 2014 at 10:25:04AM +1200, Joe Stringer wrote:
> So just to make sure I'm understanding correctly,
>
> 1) revalidator calls dpif_flow_dump_next_may_destroy_keys(), which
> indicates that it will not destroy the buffer.
> 2) revalidator calls dpif_flow_dump_next(), which dumps a flow without
> actions. The most likely case is that this is the last flow in the batch.
> 3) dpif_flow_dump_next() attempts to retrieve the actions, but fails.
> 4) dpif_flow_dump_next() continues in the loop, and fetches a new batch via
> nl_dump_next(), breaking the guarantee that may_destroy_keys() gave.
>
> Then, the proposed solution is to eliminate flow deletion batching.
Yes, that's correct.
> I have a couple of thoughts:-
>
> Could we fix it instead by changing the
> dpif_linux_flow_dump_next_may_destroy_keys() to copy the ofpbuf, seek ahead
> and check if actions exist so that it provides the proper guarantee?
Hmm. That is an approach that I did not consider. It would be
better, so I'll see what I can do.
More information about the dev
mailing list