dpif-netdev: Fix use-after-free in port_unref().

When the last rxq is closed (which releases the rxq's internal reference
to its netdev) the next call to netdev_n_rxq() accesses freed memory.

Found by valgrind.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Reported-by: Jarno Rajahalme <jrajahalme@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>

diff --git a/lib/dpif-netdev.c b/lib/dpif-netdev.c
index a255a96..881b6c4 100644 (file)
--- a/lib/dpif-netdev.c
+++ b/lib/dpif-netdev.c
@@ -811,12 +811,14 @@ static void
 port_unref(struct dp_netdev_port *port)
 {
     if (port && ovs_refcount_unref(&port->ref_cnt) == 1) {
+        int n_rxq;
         int i;
 
         netdev_close(port->netdev);
         netdev_restore_flags(port->sf);
 
-        for (i = 0; i < netdev_n_rxq(port->netdev); i++) {
+        n_rxq = netdev_n_rxq(port->netdev);
+        for (i = 0; i < n_rxq; i++) {
             netdev_rxq_close(port->rxq[i]);
         }
         free(port->type);