[ovs-dev] [PATCH] netdev-dummy: fix crash with more than one passive connection

[Ben Pfaff]

On Wed, Jul 06, 2016 at 07:39:52PM -0400, Lance Richardson wrote:
> Investigation found that Some of the occasional failures in the
> "ovn -- vtep: 3 HVs, 1 VIFs/HV, 1 GW, 1 LS" test case are caused
> by ovs-vswitchd crashing with SIGSEGV. It turns out that the
> crash occurrs when the number of netdev-dummy passive connections
> transitions from 1 to 2.  When xrealloc() copies the array of
> dummy_packet_stream structures from the original buffer to a
> newly allocated one, the struct ovs_list txq member of the structure
> becomes corrupt (e.g. if ovs_list_is_empty() would have returned
> false before the copy, it will return true after the copy, which
> will lead to a crash when the bogus packet buffer on the list is
> dereferenced).
> 
> Fix by taking a hint from David Wheeler and adding a level of
> indirection.
> 
> Signed-off-by: Lance Richardson <lrichard at redhat.com>

Thanks for the fix!  I applied this.

I spotted what looks like another bug and fixed it by folding in the
following.  If you think it's wrong, please let me know.

diff --git a/lib/netdev-dummy.c b/lib/netdev-dummy.c
index b16c9c6..2e7b7e9 100644
--- a/lib/netdev-dummy.c
+++ b/lib/netdev-dummy.c
@@ -459,7 +459,7 @@ dummy_pconn_run(struct netdev_dummy *dev)
         dev->conn.type = NONE;
     }
 
-    for (i = 0; i < pconn->n_streams; i++) {
+    for (i = 0; i < pconn->n_streams; ) {
         struct dummy_packet_stream *s = pconn->streams[i];
 
         error = dummy_packet_stream_run(dev, s);
@@ -470,6 +470,8 @@ dummy_pconn_run(struct netdev_dummy *dev)
             dummy_packet_stream_close(s);
             free(s);
             pconn->streams[i] = pconn->streams[--pconn->n_streams];
+        } else {
+            i++;
         }
     }
 }