git://git.onelab.eu
/
sliver-openvswitch.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
ofproto-dpif: Fix use-after-free error in handle_miss_upcalls().
[sliver-openvswitch.git]
/
ofproto
/
ofproto-dpif.c
diff --git
a/ofproto/ofproto-dpif.c
b/ofproto/ofproto-dpif.c
index
344f9d4
..
51d3f3f
100644
(file)
--- a/
ofproto/ofproto-dpif.c
+++ b/
ofproto/ofproto-dpif.c
@@
-2579,7
+2579,6
@@
handle_flow_miss(struct ofproto_dpif *ofproto, struct flow_miss *miss,
continue;
}
continue;
}
- list_remove(&packet->list_node);
if (flow->vlan_tci != subfacet->initial_tci) {
/* This packet was received on a VLAN splinter port. We added
* a VLAN to the packet to make the packet resemble the flow,
if (flow->vlan_tci != subfacet->initial_tci) {
/* This packet was received on a VLAN splinter port. We added
* a VLAN to the packet to make the packet resemble the flow,
@@
-2742,14
+2741,10
@@
handle_miss_upcalls(struct ofproto_dpif *ofproto, struct dpif_upcall *upcalls,
/* Process each element in the to-do list, constructing the set of
* operations to batch. */
n_ops = 0;
/* Process each element in the to-do list, constructing the set of
* operations to batch. */
n_ops = 0;
- HMAP_FOR_EACH
_SAFE (miss, next_
miss, hmap_node, &todo) {
+ HMAP_FOR_EACH
(
miss, hmap_node, &todo) {
handle_flow_miss(ofproto, miss, flow_miss_ops, &n_ops);
handle_flow_miss(ofproto, miss, flow_miss_ops, &n_ops);
- ofpbuf_list_delete(&miss->packets);
- hmap_remove(&todo, &miss->hmap_node);
- free(miss);
}
assert(n_ops <= ARRAY_SIZE(flow_miss_ops));
}
assert(n_ops <= ARRAY_SIZE(flow_miss_ops));
- hmap_destroy(&todo);
/* Execute batch. */
for (i = 0; i < n_ops; i++) {
/* Execute batch. */
for (i = 0; i < n_ops; i++) {
@@
-2768,7
+2763,6
@@
handle_miss_upcalls(struct ofproto_dpif *ofproto, struct dpif_upcall *upcalls,
if (op->subfacet->actions != execute->actions) {
free((struct nlattr *) execute->actions);
}
if (op->subfacet->actions != execute->actions) {
free((struct nlattr *) execute->actions);
}
- ofpbuf_delete((struct ofpbuf *) execute->packet);
break;
case DPIF_OP_FLOW_PUT:
break;
case DPIF_OP_FLOW_PUT:
@@
-2778,6
+2772,12
@@
handle_miss_upcalls(struct ofproto_dpif *ofproto, struct dpif_upcall *upcalls,
break;
}
}
break;
}
}
+ HMAP_FOR_EACH_SAFE (miss, next_miss, hmap_node, &todo) {
+ ofpbuf_list_delete(&miss->packets);
+ hmap_remove(&todo, &miss->hmap_node);
+ free(miss);
+ }
+ hmap_destroy(&todo);
}
static void
}
static void