[ovs-git] Open vSwitch: ofproto-dpif: Fix use-after-free for OFPP_CONTROLLER flows. (master)
dev at openvswitch.org
dev at openvswitch.org
Fri Dec 16 18:11:18 UTC 2011
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Open vSwitch".
The branch, master has been updated
via d2007e456ab3604853d7518e7bd1d4ba5df7aa7f (commit)
from b44a10b74a1147029f0bdf7d14cd059ba2dfb454 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit d2007e456ab3604853d7518e7bd1d4ba5df7aa7f
Diffs: http://openvswitch.org/cgi-bin/gitweb.cgi?p=openvswitch;a=commitdiff;h=d2007e456ab3604853d7518e7bd1d4ba5df7aa7f
Author: Ben Pfaff <blp at nicira.com>
ofproto-dpif: Fix use-after-free for OFPP_CONTROLLER flows.
When a flow consists solely of an output to OFPP_CONTROLLER, we avoid a
round trip to the kernel and back by calling execute_controller_action()
from handle_flow_miss(). However, execute_controller_action() frees the
packet passed in. This is dangerous, because the packet and the upcall
key are in the same block of malloc()'d memory, as the comment on struct
dpif_upcall says:
/* A packet passed up from the datapath to userspace.
*
* If 'key' or 'actions' is nonnull, then it points into data owned by
* 'packet', so their memory cannot be freed separately. (This is hardly a
* great way to do things but it works out OK for the dpif providers and
* clients that exist so far.)
*/
Thus, we get a use-after-free later on in handle_flow_miss() and eventually
a double free.
This fixes the problem by making execute_controller_action() clone the
packet in this case.
Signed-off-by: Ben Pfaff <blp at nicira.com>
-----------------------------------------------------------------------
Summary of changes:
ofproto/ofproto-dpif.c | 16 +++++++++++-----
1 files changed, 11 insertions(+), 5 deletions(-)
hooks/post-receive
--
Open vSwitch
More information about the git
mailing list