From 1340ce0c17562e3b0af6c6c117d43bc93372ee79 Mon Sep 17 00:00:00 2001 From: Ben Pfaff Date: Thu, 15 May 2014 15:52:17 -0700 Subject: [PATCH] ofproto-dpif-upcall: Avoid use-after-free in revalidate() corner cases. The loop in revalidate() needs to ensure that any data obtained from dpif_flow_dump_next() is used before it is destroyed, as indicated by dpif_flow_dump_next_may_destroy_keys(). In the common case, where processing reaches the end of the main "while" loop, it does this, but in two corner cases the code in the loop execute "continue;", which skipped the check. This commit fixes the problem. Bug #1249988. Signed-off-by: Ben Pfaff Acked-by: Joe Stringer --- ofproto/ofproto-dpif-upcall.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ofproto/ofproto-dpif-upcall.c b/ofproto/ofproto-dpif-upcall.c index e1117badc..f15e9162c 100644 --- a/ofproto/ofproto-dpif-upcall.c +++ b/ofproto/ofproto-dpif-upcall.c @@ -1470,7 +1470,7 @@ revalidate(struct revalidator *revalidator) * flow this time. */ ovs_mutex_unlock(&ukey->mutex); COVERAGE_INC(upcall_duplicate_flow); - continue; + goto next; } used = ukey->created; @@ -1493,7 +1493,7 @@ revalidate(struct revalidator *revalidator) * another revalidator is processing this flow * concurrently, so don't bother processing it. */ ukey_delete(NULL, ukey); - continue; + goto next; } } @@ -1511,6 +1511,7 @@ revalidate(struct revalidator *revalidator) dump_op_init(&ops[n_ops++], key, key_len, ukey); } + next: may_destroy = dpif_flow_dump_next_may_destroy_keys(&udpif->dump, state); -- 2.20.1