[ovs-git] [openvswitch/ovs] 018414: ofproto: Avoid theoretical double free of large ru...
GitHub
noreply at github.com
Mon Oct 20 15:54:09 UTC 2014
Branch: refs/heads/branch-2.1
Home: https://github.com/openvswitch/ovs
Commit: 018414ae78f2613b0b4c7f6d0fcfcb9c781fb5af
https://github.com/openvswitch/ovs/commit/018414ae78f2613b0b4c7f6d0fcfcb9c781fb5af
Author: Ben Pfaff <blp at nicira.com>
Date: 2014-10-20 (Mon, 20 Oct 2014)
Changed paths:
M ofproto/ofproto.c
Log Message:
-----------
ofproto: Avoid theoretical double free of large rule collections.
collect_rules_strict() and collect_rules_loose() destroy the rule
collections that they create if they return an error, and some of their
callers then go on to destroy them again. This could cause a double-free
in the case where rule_collection_destroy() actually calls free(). That
never happens in the current tree, because free() is only necessary if
malloc() was called and there's a 64-entry stub that none of the current
code in collect_rules_*() can fill up in their error cases. Still, it
seems better to fix the problem.
Found by clang-analyzer.
This is backported to OVS 2.1 because a discussion on ovs-discuss
showed that in fact the double free can trigger:
http://openvswitch.org/pipermail/discuss/2014-September/014978.html
Reported-by: Anup Khadka <khadka.py at gmail.com>
Signed-off-by: Ben Pfaff <blp at nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme at nicira.com>
More information about the git
mailing list