ofproto-dpif-upcall: Fix additional use-after-free in revalidate().
Commit
1340ce0c175 (ofproto-dpif-upcall: Avoid use-after-free in
revalidate() corner cases.) fixed one use-after-free error in revalidate(),
but missed one more subtle case, in which dpif_linux_flow_dump_next()
attempts to retrieve actions for a flow that didn't have them in the main
dump result. If retrieving those actions fails,
dpif_linux_flow_dump_next() goes on to the next flow, and as part of that
overwrites the old dumped flows in its buffer. This is a problem because
dpif_linux_flow_dump_next_may_destroy_keys() would have indicated that
the old dumped flows would not have been destroyed, which means that the
data the caller relied on has gone away. In the worst case, this causes
a segfault and core dump.
The best way to fix this problem is the refactoring that has already
happened on master in commit
ac64794acb85 (dpif: Refactor flow dumping
interface to make better sense for batching.) That is a fairly large
change, and not yet well-tested, so it doesn't yet seem suitable for a
stable branch. For now, this commit refines the conditions that
dpif_linux_flow_dump_next_may_destroy_keys() uses, so that if the next
flow does not include actions it indicates that keys may be destroyed.
Thanks to Joe Stringer for suggesting this particular solution.
Bug #
1249988.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Joe Stringer <joestringer@nicira.com>
projects / cascardo / ovs.git / commit