[ovs-git] Open vSwitch: netdev-linux: Fix use-after-free when netdev_dump_queues() deletes queues. (branch-1.5)

dev at openvswitch.org dev at openvswitch.org
Mon Mar 19 20:53:00 UTC 2012


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Open vSwitch".

The branch, branch-1.5 has been updated
       via  fe383d9687f3023d463d70991a0a482cb1ee4e51 (commit)
      from  43a2283f8a7e22de1b1237b7a5eb8c321ea12c77 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit fe383d9687f3023d463d70991a0a482cb1ee4e51
Diffs: http://openvswitch.org/cgi-bin/gitweb.cgi?p=openvswitch;a=commitdiff;h=fe383d9687f3023d463d70991a0a482cb1ee4e51
Author: Ben Pfaff <blp at nicira.com>
		
netdev-linux: Fix use-after-free when netdev_dump_queues() deletes queues.
		
iface_configure_qos() passes a callback to netdev_dump_queues() that can
delete queues.  The netdev-linux implementation of this function was
unprepared for the callback to delete queues, so this could cause a
use-after-free.  This fixes the problem in netdev_linux_dump_queues() and
documents that netdev_dump_queues() implementations must support deletions
in the callback.

Found by valgrind:

==1593== Invalid read of size 8
==1593==    at 0x4A8C43: netdev_linux_dump_queues (hmap.h:326)
==1593==    by 0x4305F7: bridge_reconfigure (bridge.c:3084)
==1593==    by 0x431384: bridge_run (bridge.c:1892)
==1593==    by 0x432749: main (ovs-vswitchd.c:96)
==1593==  Address 0x632e078 is 8 bytes inside a block of size 32 free'd
==1593==    at 0x4C240FD: free (vg_replace_malloc.c:366)
==1593==    by 0x4A4D74: hfsc_class_delete (netdev-linux.c:3250)
==1593==    by 0x42AA59: iface_delete_queues (bridge.c:3055)
==1593==    by 0x4A8C8C: netdev_linux_dump_queues (netdev-linux.c:1881)
==1593==    by 0x4305F7: bridge_reconfigure (bridge.c:3084)
==1593==    by 0x431384: bridge_run (bridge.c:1892)

Bug #10164.
Reported-by: Ram Jothikumar <ram at nicira.com>
Signed-off-by: Ben Pfaff <blp at nicira.com>


-----------------------------------------------------------------------

Summary of changes:
 lib/netdev-linux.c    |    5 +++--
 lib/netdev-provider.h |    9 +++++++--
 lib/netdev.c          |    6 +++++-
 3 files changed, 15 insertions(+), 5 deletions(-)


hooks/post-receive
-- 
Open vSwitch



More information about the git mailing list