[ovs-git] Open vSwitch: ofproto-dpif: Fix use-after-free for OFPP_CONTROLLER flows. (branch-1.3)

dev at openvswitch.org dev at openvswitch.org
Fri Dec 16 18:30:09 UTC 2011 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Open vSwitch".

The branch, branch-1.3 has been updated
       via  918769dda1ede0c88d6cce287b4d7e7cac5cd390 (commit)
      from  6e8da577277b1ad352a7d7fe9ad83d06443d24bc (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 918769dda1ede0c88d6cce287b4d7e7cac5cd390
Diffs: http://openvswitch.org/cgi-bin/gitweb.cgi?p=openvswitch;a=commitdiff;h=918769dda1ede0c88d6cce287b4d7e7cac5cd390
Author: Ben Pfaff <blp at nicira.com>
		
ofproto-dpif: Fix use-after-free for OFPP_CONTROLLER flows.
		
When a flow consists solely of an output to OFPP_CONTROLLER, we avoid a
round trip to the kernel and back by calling execute_controller_action()
from handle_flow_miss().  However, execute_controller_action() frees the
packet passed in.  This is dangerous, because the packet and the upcall
key are in the same block of malloc()'d memory, as the comment on struct
dpif_upcall says:

/* A packet passed up from the datapath to userspace.
 *
 * If 'key' or 'actions' is nonnull, then it points into data owned by
 * 'packet', so their memory cannot be freed separately.  (This is hardly a
 * great way to do things but it works out OK for the dpif providers and
 * clients that exist so far.)
 */

Thus, we get a use-after-free later on in handle_flow_miss() and eventually
a double free.

This fixes the problem by making execute_controller_action() clone the
packet in this case.

Signed-off-by: Ben Pfaff <blp at nicira.com>


-----------------------------------------------------------------------

Summary of changes:
 ofproto/ofproto-dpif.c |   16 +++++++++++-----
 1 files changed, 11 insertions(+), 5 deletions(-)


hooks/post-receive
-- 
Open vSwitch

More information about the git mailing list