[ovs-dev] [PATCH] ofproto-dpif-upcall: Fix additional use-after-free in revalidate().

Ben Pfaff blp at nicira.com
Wed May 21 23:27:21 UTC 2014


On Wed, May 21, 2014 at 03:52:39PM -0700, Ben Pfaff wrote:
> On Thu, May 22, 2014 at 10:25:04AM +1200, Joe Stringer wrote:
> > So just to make sure I'm understanding correctly,
> > 
> > 1) revalidator calls dpif_flow_dump_next_may_destroy_keys(), which
> > indicates that it will not destroy the buffer.
> > 2) revalidator calls dpif_flow_dump_next(), which dumps a flow without
> > actions. The most likely case is that this is the last flow in the batch.
> > 3) dpif_flow_dump_next() attempts to retrieve the actions, but fails.
> > 4) dpif_flow_dump_next() continues in the loop, and fetches a new batch via
> > nl_dump_next(), breaking the guarantee that may_destroy_keys() gave.
> > 
> > Then, the proposed solution is to eliminate flow deletion batching.
> 
> Yes, that's correct.
> 
> > I have a couple of thoughts:-
> > 
> > Could we fix it instead by changing the
> > dpif_linux_flow_dump_next_may_destroy_keys() to copy the ofpbuf, seek ahead
> > and check if actions exist so that it provides the proper guarantee?
> 
> Hmm.  That is an approach that I did not consider.  It would be
> better, so I'll see what I can do.

I sent out v2 that adopts this idea.



More information about the dev mailing list