[ovs-git] Open vSwitch: netdev-linux: Fix use-after-free when netdev_dump_queues() deletes queues. (master)

dev at openvswitch.org dev at openvswitch.org
Mon Mar 19 20:51:26 UTC 2012 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Open vSwitch".

The branch, master has been updated
       via  f486e8405a13667e63765d804dd0ef96f38228c8 (commit)
      from  6e037e3ca6381fa36fdf6009c4ccc97d0f041be4 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit f486e8405a13667e63765d804dd0ef96f38228c8
Diffs: http://openvswitch.org/cgi-bin/gitweb.cgi?p=openvswitch;a=commitdiff;h=f486e8405a13667e63765d804dd0ef96f38228c8
Author: Ben Pfaff <blp at nicira.com>
		
netdev-linux: Fix use-after-free when netdev_dump_queues() deletes queues.
		
iface_configure_qos() passes a callback to netdev_dump_queues() that can
delete queues.  The netdev-linux implementation of this function was
unprepared for the callback to delete queues, so this could cause a
use-after-free.  This fixes the problem in netdev_linux_dump_queues() and
documents that netdev_dump_queues() implementations must support deletions
in the callback.

Found by valgrind:

==1593== Invalid read of size 8
==1593==    at 0x4A8C43: netdev_linux_dump_queues (hmap.h:326)
==1593==    by 0x4305F7: bridge_reconfigure (bridge.c:3084)
==1593==    by 0x431384: bridge_run (bridge.c:1892)
==1593==    by 0x432749: main (ovs-vswitchd.c:96)
==1593==  Address 0x632e078 is 8 bytes inside a block of size 32 free'd
==1593==    at 0x4C240FD: free (vg_replace_malloc.c:366)
==1593==    by 0x4A4D74: hfsc_class_delete (netdev-linux.c:3250)
==1593==    by 0x42AA59: iface_delete_queues (bridge.c:3055)
==1593==    by 0x4A8C8C: netdev_linux_dump_queues (netdev-linux.c:1881)
==1593==    by 0x4305F7: bridge_reconfigure (bridge.c:3084)
==1593==    by 0x431384: bridge_run (bridge.c:1892)

Bug #10164.
Reported-by: Ram Jothikumar <ram at nicira.com>
Signed-off-by: Ben Pfaff <blp at nicira.com>


-----------------------------------------------------------------------

Summary of changes:
 lib/netdev-linux.c    |    5 +++--
 lib/netdev-provider.h |    9 +++++++--
 lib/netdev.c          |    6 +++++-
 3 files changed, 15 insertions(+), 5 deletions(-)


hooks/post-receive
-- 
Open vSwitch

More information about the git mailing list