[ovs-dev] [PATCH v2] pinctrl: Fix memory leak for NAT IPs in send_garp_run().

Justin Pettit jpettit at ovn.org
Fri Aug 19 18:34:04 UTC 2016


> On Aug 19, 2016, at 9:03 AM, Ben Pfaff <blp at ovn.org> wrote:
> 
> send_garp_run() allocated and populated a shash of struct lport_addresses,
> but it only freed some of the data.  This fixes the problem.
> 
> CC: Chandra S Vejendla <csvejend at us.ibm.com>
> Reported-by: Ramu Ramamurthy <ramu.ramamurthy at gmail.com>
> Fixes: 8439c2ebd823 ("ovn: Support for GARP for NAT IPs via localnet")
> Signed-off-by: Ben Pfaff <blp at ovn.org>

I think this may fix a possible use-after-free problem with "nat_addresses", too.  There are two separate calls to send_garp_update() in send_garp_run() that take "nat_addresses" as an argument.  If "laddrs" is used in the first call, the data is freed, but the data pointer still exists in "nat_addresses".  It's possible that a second call could then try to dereference the pointer value that's there.  I didn't look closely enough at the code to see if something makes sure that both calls can never reference the same entry, though.

Acked-by: Justin Pettit <jpettit at ovn.org>

--Justin





More information about the dev mailing list