git://git.onelab.eu / sliver-openvswitch.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
ofproto-dpif: Fix use-after-free for OFPP_CONTROLLER flows.
[sliver-openvswitch.git] / ofproto / ofproto-dpif.c
diff --git a/ofproto/ofproto-dpif.c b/ofproto/ofproto-dpif.c
index 14b5447..7eb8b41 100644 (file)
--- a/ofproto/ofproto-dpif.c
+++ b/ofproto/ofproto-dpif.c
@@ -318,7 +318,7 @@ static bool execute_controller_action(struct ofproto_dpif *,
                                       const struct flow *,
                                       const struct nlattr *odp_actions,
                                       size_t actions_len,
-                                      struct ofpbuf *packet);
+                                      struct ofpbuf *packet, bool clone);
 
 static void facet_flush_stats(struct ofproto_dpif *, struct facet *);
 
@@ -373,8 +373,7 @@ static struct subfacet *subfacet_create(struct ofproto_dpif *, struct facet *,
                                         const struct nlattr *key,
                                         size_t key_len, ovs_be16 initial_tci);
 static struct subfacet *subfacet_find(struct ofproto_dpif *,
-                                      const struct nlattr *key, size_t key_len,
-                                      const struct flow *);
+                                      const struct nlattr *key, size_t key_len);
 static void subfacet_destroy(struct ofproto_dpif *, struct subfacet *);
 static void subfacet_destroy__(struct ofproto_dpif *, struct subfacet *);
 static void subfacet_reset_dp_stats(struct subfacet *,
@@ -2476,7 +2475,7 @@ handle_flow_miss(struct ofproto_dpif *ofproto, struct flow_miss *miss,
         }
         if (!execute_controller_action(ofproto, &facet->flow,
                                        subfacet->actions,
-                                       subfacet->actions_len, packet)) {
+                                       subfacet->actions_len, packet, true)) {
             struct flow_miss_op *op = &ops[(*n_ops)++];
             struct dpif_execute *execute = &op->dpif_op.execute;
 
@@ -2573,6 +2572,7 @@ handle_miss_upcalls(struct ofproto_dpif *ofproto, struct dpif_upcall *upcalls,
                                                 upcall->key, upcall->key_len,
                                                 &flow, &initial_tci);
         if (fitness == ODP_FIT_ERROR) {
+            ofpbuf_delete(upcall->packet);
             continue;
         }
         flow_extract(upcall->packet, flow.priority, flow.tun_id,
@@ -2649,6 +2649,7 @@ handle_userspace_upcall(struct ofproto_dpif *ofproto,
                                             upcall->key_len, &flow,
                                             &initial_tci);
     if (fitness == ODP_FIT_ERROR) {
+        ofpbuf_delete(upcall->packet);
         return;
     }
 
@@ -2664,6 +2665,7 @@ handle_userspace_upcall(struct ofproto_dpif *ofproto,
                               &flow, false);
     } else {
         VLOG_WARN_RL(&rl, "invalid user cookie : 0x%"PRIx64, upcall->userdata);
+        ofpbuf_delete(upcall->packet);
     }
 }
 
@@ -2782,16 +2784,9 @@ update_stats(struct ofproto_dpif *p)
 
     dpif_flow_dump_start(&dump, p->dpif);
     while (dpif_flow_dump_next(&dump, &key, &key_len, NULL, NULL, &stats)) {
-        enum odp_key_fitness fitness;
         struct subfacet *subfacet;
-        struct flow flow;
 
-        fitness = odp_flow_key_to_flow(key, key_len, &flow);
-        if (fitness == ODP_FIT_ERROR) {
-            continue;
-        }
-
-        subfacet = subfacet_find(p, key, key_len, &flow);
+        subfacet = subfacet_find(p, key, key_len);
         if (subfacet && subfacet->installed) {
             struct facet *facet = subfacet->facet;
 
@@ -2815,9 +2810,18 @@ update_stats(struct ofproto_dpif *p)
             facet_account(p, facet);
             facet_push_stats(facet);
         } else {
+            if (!VLOG_DROP_WARN(&rl)) {
+                struct ds s;
+
+                ds_init(&s);
+                odp_flow_key_format(key, key_len, &s);
+                VLOG_WARN("unexpected flow from datapath %s", ds_cstr(&s));
+                ds_destroy(&s);
+            }
+
+            COVERAGE_INC(facet_unexpected);
             /* There's a flow in the datapath that we know nothing about, or a
              * flow that shouldn't be installed but was anyway.  Delete it. */
-            COVERAGE_INC(facet_unexpected);
             dpif_flow_del(p->dpif, key, key_len, NULL);
         }
     }
@@ -2995,11 +2999,17 @@ facet_free(struct facet *facet)
     free(facet);
 }
 
+/* If the 'actions_len' bytes of actions in 'odp_actions' are just a single
+ * OVS_ACTION_ATTR_USERSPACE action, executes it internally and returns true.
+ * Otherwise, returns false without doing anything.
+ *
+ * If 'clone' is true, the caller always retains ownership of 'packet'.
+ * Otherwise, ownership is transferred to this function if it returns true. */
 static bool
 execute_controller_action(struct ofproto_dpif *ofproto,
                           const struct flow *flow,
                           const struct nlattr *odp_actions, size_t actions_len,
-                          struct ofpbuf *packet)
+                          struct ofpbuf *packet, bool clone)
 {
     if (actions_len
         && odp_actions->nla_type == OVS_ACTION_ATTR_USERSPACE
@@ -3015,7 +3025,7 @@ execute_controller_action(struct ofproto_dpif *ofproto,
 
         nla = nl_attr_find_nested(odp_actions, OVS_USERSPACE_ATTR_USERDATA);
         send_packet_in_action(ofproto, packet, nl_attr_get_u64(nla), flow,
-                              false);
+                              clone);
         return true;
     } else {
         return false;
@@ -3036,7 +3046,7 @@ execute_odp_actions(struct ofproto_dpif *ofproto, const struct flow *flow,
     int error;
 
     if (execute_controller_action(ofproto, flow, odp_actions, actions_len,
-                                  packet)) {
+                                  packet, false)) {
         return true;
     }
 
@@ -3508,12 +3518,18 @@ subfacet_create(struct ofproto_dpif *ofproto, struct facet *facet,
  * 'flow'.  Returns the subfacet if one exists, otherwise NULL. */
 static struct subfacet *
 subfacet_find(struct ofproto_dpif *ofproto,
-              const struct nlattr *key, size_t key_len,
-              const struct flow *flow)
+              const struct nlattr *key, size_t key_len)
 {
     uint32_t key_hash = odp_flow_key_hash(key, key_len);
+    enum odp_key_fitness fitness;
+    struct flow flow;
 
-    return subfacet_find__(ofproto, key, key_len, key_hash, flow);
+    fitness = odp_flow_key_to_flow(key, key_len, &flow);
+    if (fitness == ODP_FIT_ERROR) {
+        return NULL;
+    }
+
+    return subfacet_find__(ofproto, key, key_len, key_hash, &flow);
 }
 
 /* Uninstalls 'subfacet' from the datapath, if it is installed, removes it from
@@ -4922,7 +4938,9 @@ add_mirror_actions(struct action_xlate_ctx *ctx, const struct flow *orig_flow)
         }
 
         ofport = get_odp_port(ofproto, nl_attr_get_u32(a));
-        mirrors |= ofport ? ofport->bundle->dst_mirrors : 0;
+        if (ofport && ofport->bundle) {
+            mirrors |= ofport->bundle->dst_mirrors;
+        }
     }
 
     if (!mirrors) {
sliver-openvswitch