[ovs-dev] [PATCH v2] pinctrl: Fix memory leak for NAT IPs in send_garp_run().
Justin Pettit
jpettit at ovn.org
Fri Aug 19 18:34:04 UTC 2016
> On Aug 19, 2016, at 9:03 AM, Ben Pfaff <blp at ovn.org> wrote:
>
> send_garp_run() allocated and populated a shash of struct lport_addresses,
> but it only freed some of the data. This fixes the problem.
>
> CC: Chandra S Vejendla <csvejend at us.ibm.com>
> Reported-by: Ramu Ramamurthy <ramu.ramamurthy at gmail.com>
> Fixes: 8439c2ebd823 ("ovn: Support for GARP for NAT IPs via localnet")
> Signed-off-by: Ben Pfaff <blp at ovn.org>
I think this may fix a possible use-after-free problem with "nat_addresses", too. There are two separate calls to send_garp_update() in send_garp_run() that take "nat_addresses" as an argument. If "laddrs" is used in the first call, the data is freed, but the data pointer still exists in "nat_addresses". It's possible that a second call could then try to dereference the pointer value that's there. I didn't look closely enough at the code to see if something makes sure that both calls can never reference the same entry, though.
Acked-by: Justin Pettit <jpettit at ovn.org>
--Justin
More information about the dev
mailing list