[ovs-git] Open vSwitch: ofproto-dpif: Fix use-after-free error in handle_miss_upcalls(). (branch-1.5)

dev at openvswitch.org dev at openvswitch.org
Mon Jan 30 21:17:23 UTC 2012


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Open vSwitch".

The branch, branch-1.5 has been updated
       via  5aa0fe5bef0462e3c3c6f31e9f2ed51269ffd467 (commit)
      from  05e547e7ee479fa2c3ca5bc9d2eb57bc8a07bdb8 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 5aa0fe5bef0462e3c3c6f31e9f2ed51269ffd467
Diffs: http://openvswitch.org/cgi-bin/gitweb.cgi?p=openvswitch;a=commitdiff;h=5aa0fe5bef0462e3c3c6f31e9f2ed51269ffd467
Author: Ben Pfaff <blp at nicira.com>
		
ofproto-dpif: Fix use-after-free error in handle_miss_upcalls().
		
When handle_flow_miss() saw that subfacet did not have any actions, then
the associated packet would get freed early, in the loop that constructs
the set of batched operations.  However, there would still be a "flow_put"
operation that referenced the key that shares the same memory block as the
packet.  The memory allocator would overwrite the first few bytes of this
block, causing bizarre errors in the flow_put.

This commit changes the memory release strategy to be less error-prone, by
deferring all freeing of packets to the end of the function.  With this
change, every packet gets freed in the same place, instead of having some
packets freed in one place and other packets freed in another.

Here is the valgrind report that pinpoints the problem:

Invalid read of size 4
   at 0x4026838: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
   by 0x80E9B52: dpif_linux_flow_to_ofpbuf (dpif-linux.c:1714)
   by 0x80E9C77: dpif_linux_operate (dpif-linux.c:883)
   by 0x80AFB5A: dpif_operate (dpif.c:994)
   by 0x809A03B: handle_upcalls (ofproto-dpif.c:2758)
   by 0x809A23A: run_fast (ofproto-dpif.c:757)
   by 0x808C04E: ofproto_run_fast (ofproto.c:963)
   by 0x806DFB6: bridge_run_fast (bridge.c:1811)
   by 0x8074B59: main (ovs-vswitchd.c:98)
 Address 0x4427948 is 80 bytes inside a block of size 2,048 free'd
   at 0x402421C: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
   by 0x80CD865: ofpbuf_delete (ofpbuf.c:187)
   by 0x80CD8AA: ofpbuf_list_delete (ofpbuf.c:531)
   by 0x8099F06: handle_upcalls (ofproto-dpif.c:2747)
   by 0x809A23A: run_fast (ofproto-dpif.c:757)
   by 0x808C04E: ofproto_run_fast (ofproto.c:963)
   by 0x806DFB6: bridge_run_fast (bridge.c:1811)
   by 0x8074B59: main (ovs-vswitchd.c:98)

Bug #9346.
Reported-by: Alan Shieh <ashieh at nicira.com>
Reported-by: Ethan Jackson <ethan at nicira.com>
Signed-off-by: Ben Pfaff <blp at nicira.com>


-----------------------------------------------------------------------

Summary of changes:
 ofproto/ofproto-dpif.c |   13 +++++++------
 1 files changed, 7 insertions(+), 6 deletions(-)


hooks/post-receive
-- 
Open vSwitch



More information about the git mailing list