[ovs-git] [openvswitch/ovs] 018414: ofproto: Avoid theoretical double free of large ru...

GitHub noreply at github.com
Mon Oct 20 15:54:09 UTC 2014


  Branch: refs/heads/branch-2.1
  Home:   https://github.com/openvswitch/ovs
  Commit: 018414ae78f2613b0b4c7f6d0fcfcb9c781fb5af
      https://github.com/openvswitch/ovs/commit/018414ae78f2613b0b4c7f6d0fcfcb9c781fb5af
  Author: Ben Pfaff <blp at nicira.com>
  Date:   2014-10-20 (Mon, 20 Oct 2014)

  Changed paths:
    M ofproto/ofproto.c

  Log Message:
  -----------
  ofproto: Avoid theoretical double free of large rule collections.

collect_rules_strict() and collect_rules_loose() destroy the rule
collections that they create if they return an error, and some of their
callers then go on to destroy them again.  This could cause a double-free
in the case where rule_collection_destroy() actually calls free().  That
never happens in the current tree, because free() is only necessary if
malloc() was called and there's a 64-entry stub that none of the current
code in collect_rules_*() can fill up in their error cases.  Still, it
seems better to fix the problem.

Found by clang-analyzer.

This is backported to OVS 2.1 because a discussion on ovs-discuss
showed that in fact the double free can trigger:
http://openvswitch.org/pipermail/discuss/2014-September/014978.html

Reported-by: Anup Khadka <khadka.py at gmail.com>
Signed-off-by: Ben Pfaff <blp at nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme at nicira.com>




More information about the git mailing list