From: Ben Pfaff <blp@nicira.com>
Date: Thu, 15 May 2014 22:52:17 +0000 (-0700)
Subject: ofproto-dpif-upcall: Avoid use-after-free in revalidate() corner cases.
X-Git-Tag: v2.3~94
X-Git-Url: http://git.cascardo.eti.br/?a=commitdiff_plain;h=1340ce0c175;p=cascardo%2Fovs.git

ofproto-dpif-upcall: Avoid use-after-free in revalidate() corner cases.

The loop in revalidate() needs to ensure that any data obtained from
dpif_flow_dump_next() is used before it is destroyed, as indicated by
dpif_flow_dump_next_may_destroy_keys().  In the common case, where
processing reaches the end of the main "while" loop, it does this, but
in two corner cases the code in the loop execute "continue;", which skipped
the check.  This commit fixes the problem.

Bug #1249988.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Joe Stringer <joestringer@nicira.com>
---

diff --git a/ofproto/ofproto-dpif-upcall.c b/ofproto/ofproto-dpif-upcall.c
index e1117badc..f15e9162c 100644
--- a/ofproto/ofproto-dpif-upcall.c
+++ b/ofproto/ofproto-dpif-upcall.c
@@ -1470,7 +1470,7 @@ revalidate(struct revalidator *revalidator)
                  * flow this time. */
                 ovs_mutex_unlock(&ukey->mutex);
                 COVERAGE_INC(upcall_duplicate_flow);
-                continue;
+                goto next;
             }
 
             used = ukey->created;
@@ -1493,7 +1493,7 @@ revalidate(struct revalidator *revalidator)
                      * another revalidator is processing this flow
                      * concurrently, so don't bother processing it. */
                     ukey_delete(NULL, ukey);
-                    continue;
+                    goto next;
                 }
             }
 
@@ -1511,6 +1511,7 @@ revalidate(struct revalidator *revalidator)
             dump_op_init(&ops[n_ops++], key, key_len, ukey);
         }
 
+    next:
         may_destroy = dpif_flow_dump_next_may_destroy_keys(&udpif->dump,
                                                            state);