[ovs-discuss] Possible double-free on ofproto.c:delete_flows_loose
Anup Khadka
khadka.py at gmail.com
Wed Sep 17 18:58:50 UTC 2014
On Tue, Sep 16, 2014 at 3:30 PM, Anup Khadka <khadka.py at gmail.com> wrote:
> It looks like OVS tries to double-free in delete_flows_loose if the
> rules->rules (inside struct rule_collection *rules is not equal to
> rules->stub).
>
> A little more detail:
> In the function delete_flows_loose, the call to the function
> collect_rules_loose takes care of freeing rules (again struct
> rule_collection *rules) if there is any error while collecting the rule.
>
> The function returns back to delete_flows_loose where it calls
> rule_collection_destroy again.
>
> Because rules->rules is still not rules->stab, it attempts to free the
> rules structure again, resulting in a double-free.
>
> Perhaps rules->rules can be set to rules->stab inside
> rule_collection_destroy function after its freed. Or perhaps,
> rule_collection_destroy should only be called from delete_flows_loose if
> there is no error, or perhaps collect_rules_loose should not take care of
> freeing the data structure.
>
> Please let me know if its a bug.
>
> Thanks,
> Anup
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20140917/0b39233e/attachment-0002.html>
More information about the discuss
mailing list