dpif-netdev: Fix another use-after-free in port_unref().

Commit 87400a3d4cc4a (dpif-netdev: Fix use-after-free in port_unref().)
fixed one use-after-free in the common case of port_unref().  However,
there was another, similar case: if port->netdev has no rxqs, then
the netdev_close() causes port->netdev to be destroyed and thus the
following call to netdev_n_rxq() accesses freed memory.  This commit fixes
the problem.

Found by valgrind.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Andy Zhou <azhou@nicira.com>

diff --git a/lib/dpif-netdev.c b/lib/dpif-netdev.c
index 87d1eb5..bbdb169 100644 (file)
--- a/lib/dpif-netdev.c
+++ b/lib/dpif-netdev.c
@@ -811,13 +811,12 @@ static void
 port_unref(struct dp_netdev_port *port)
 {
     if (port && ovs_refcount_unref(&port->ref_cnt) == 1) {
-        int n_rxq;
+        int n_rxq = netdev_n_rxq(port->netdev);
         int i;
 
         netdev_close(port->netdev);
         netdev_restore_flags(port->sf);
 
-        n_rxq = netdev_n_rxq(port->netdev);
         for (i = 0; i < n_rxq; i++) {
             netdev_rxq_close(port->rxq[i]);
         }