[ovs-dev] [PATCH 2/5] ofproto: Avoid use-after-free on error path in ofproto_flow_mod_learn().
Ben Pfaff
blp at ovn.org
Thu Jan 25 23:39:46 UTC 2018
In the case where the learned flow limit has been reached (below_limit ==
false), ofproto_flow_mod_uninit() would unref ofm->temp_rule (which is
also in the 'rule' local variable) before dereferencing rule->flow_cookie
for the log message. This fixes the problem.
(The greatest likely consequence of this bug was logging the wrong cookie
value.)
Signed-off-by: Ben Pfaff <blp at ovn.org>
---
ofproto/ofproto.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/ofproto/ofproto.c b/ofproto/ofproto.c
index 76d96a6f93f3..1b80a327ac18 100644
--- a/ofproto/ofproto.c
+++ b/ofproto/ofproto.c
@@ -5141,15 +5141,13 @@ ofproto_flow_mod_learn(struct ofproto_flow_mod *ofm, bool keep_ref,
ofproto_flow_mod_learn_finish(ofm, NULL);
}
} else {
+ static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 5);
+ VLOG_INFO_RL(&rl, "Learn limit for flow %"PRIu64" reached.",
+ rule->flow_cookie);
+
ofproto_flow_mod_uninit(ofm);
}
ovs_mutex_unlock(&ofproto_mutex);
-
- if (!below_limit) {
- static struct vlog_rate_limit learn_rl = VLOG_RATE_LIMIT_INIT(1, 5);
- VLOG_INFO_RL(&learn_rl, "Learn limit for flow %"PRIu64" reached.",
- rule->flow_cookie);
- }
}
if (!keep_ref && below_limit) {
--
2.10.2
More information about the dev
mailing list