ofproto: Fix use after free in ofoperation_complete().

In one edge case, ofoperation_complete() destroys its rule, without
updating its ofoperation that the rule is gone.  Later in the same
function, ofoperation_destroy() attempts to modify the rule which
already destroyed.

Bug #11797.
Signed-off-by: Ethan Jackson <ethan@nicira.com>

diff --git a/ofproto/ofproto.c b/ofproto/ofproto.c
index 0c24314..eed0458 100644 (file)
--- a/ofproto/ofproto.c
+++ b/ofproto/ofproto.c
@@ -3617,6 +3617,7 @@ ofoperation_complete(struct ofoperation *op, enum ofperr error)
         } else {
             oftable_substitute_rule(rule, op->victim);
             ofproto_rule_destroy__(rule);
+            op->rule = NULL;
         }
         break;