[ovs-dev] [PATCH 2/5] ofproto: Avoid use-after-free on error path in ofproto_flow_mod_learn().

William Tu u9012063 at gmail.com
Fri Jan 26 15:41:09 UTC 2018


On Thu, Jan 25, 2018 at 3:39 PM, Ben Pfaff <blp at ovn.org> wrote:
> In the case where the learned flow limit has been reached (below_limit ==
> false), ofproto_flow_mod_uninit() would unref ofm->temp_rule (which is
> also in the 'rule' local variable) before dereferencing rule->flow_cookie
> for the log message.  This fixes the problem.
>
> (The greatest likely consequence of this bug was logging the wrong cookie
> value.)
>
> Signed-off-by: Ben Pfaff <blp at ovn.org>
> ---

Looks good to me.

Acked-by: William Tu <u9012063 at gmail.com>


>  ofproto/ofproto.c | 10 ++++------
>  1 file changed, 4 insertions(+), 6 deletions(-)
>
> diff --git a/ofproto/ofproto.c b/ofproto/ofproto.c
> index 76d96a6f93f3..1b80a327ac18 100644
> --- a/ofproto/ofproto.c
> +++ b/ofproto/ofproto.c
> @@ -5141,15 +5141,13 @@ ofproto_flow_mod_learn(struct ofproto_flow_mod *ofm, bool keep_ref,
>                  ofproto_flow_mod_learn_finish(ofm, NULL);
>              }
>          } else {
> +            static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 5);
> +            VLOG_INFO_RL(&rl, "Learn limit for flow %"PRIu64" reached.",
> +                         rule->flow_cookie);
> +
>              ofproto_flow_mod_uninit(ofm);
>          }
>          ovs_mutex_unlock(&ofproto_mutex);
> -
> -        if (!below_limit) {
> -            static struct vlog_rate_limit learn_rl = VLOG_RATE_LIMIT_INIT(1, 5);
> -            VLOG_INFO_RL(&learn_rl, "Learn limit for flow %"PRIu64" reached.",
> -                         rule->flow_cookie);
> -        }
>      }
>
>      if (!keep_ref && below_limit) {
> --
> 2.10.2
>
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev


More information about the dev mailing list