[ovs-discuss] Possible double-free on ofproto.c:delete_flows_loose

Ben Pfaff blp at nicira.com
Wed Sep 17 20:37:07 UTC 2014


On Wed, Sep 17, 2014 at 02:58:50PM -0400, Anup Khadka wrote:
> On Tue, Sep 16, 2014 at 3:30 PM, Anup Khadka <khadka.py at gmail.com> wrote:
> 
> > It looks like OVS tries to double-free in delete_flows_loose if the
> > rules->rules (inside struct rule_collection *rules is not equal to
> > rules->stub).
> >
> > A little more detail:
> > In the function delete_flows_loose, the call to the function
> > collect_rules_loose takes care of freeing rules (again struct
> > rule_collection *rules) if there is any error while collecting the rule.
> >
> > The function returns back to delete_flows_loose where it calls
> > rule_collection_destroy again.
> >
> > Because rules->rules is still not rules->stab, it attempts to free the
> > rules structure again, resulting in a double-free.
> >
> > Perhaps rules->rules can be set to rules->stab inside
> > rule_collection_destroy function after its freed. Or perhaps,
> > rule_collection_destroy should only be called from delete_flows_loose if
> > there is no error, or perhaps collect_rules_loose should not take care of
> > freeing the data structure.

rule_collection_destroy() already reinitializes 'rules' after it
destroys it:

void
rule_collection_destroy(struct rule_collection *rules)
{
    if (rules->rules != rules->stub) {
        free(rules->rules);
    }

    /* Make repeated destruction harmless. */
    rule_collection_init(rules);
}



More information about the discuss mailing list