diff options
| author | Yifeng Sun <pkusunyifeng@gmail.com> | 2017-12-11 05:44:07 -0800 |
|---|---|---|
| committer | Ben Pfaff <blp@ovn.org> | 2017-12-20 11:25:56 -0800 |
| commit | 97c814e9a6f86983bdec176e5b929126a347e4a3 (patch) | |
| tree | c16de65bdd1642e0296d1316ce989dbe43935788 | |
| parent | e04ab7ae8feb2c55b9b9730b59d8b72e85a0ffcb (diff) | |
| download | openvswitch-97c814e9a6f86983bdec176e5b929126a347e4a3.tar.gz | |
bond: Fix bug that writes to freed memory
pr_op->pr_rule is pointing to memory in bond->hash. It shouldn't be written
if bond->hash is already freed.
This bug is reported by running kernel path testsuite under valgrind:
Invalid write of size 8
at 0x413D16: update_recirc_rules__ (bond.c:392)
by 0x414CA0: bond_unref (bond.c:290)
by 0x427E3C: bundle_destroy (ofproto-dpif.c:3002)
by 0x429EF4: bundle_set (ofproto-dpif.c:3023)
by 0x40858B: port_destroy (bridge.c:4087)
by 0x40BD04: bridge_destroy (bridge.c:3266)
by 0x410528: bridge_exit (bridge.c:506)
by 0x4072EE: main (ovs-vswitchd.c:135)
Address 0xb5a85f0 is 5,360 bytes inside a block of size 12,288 free'd
at 0x4C2EDEB: free (/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x414C8D: bond_unref (bond.c:288)
by 0x427E3C: bundle_destroy (ofproto-dpif.c:3002)
by 0x429EF4: bundle_set (ofproto-dpif.c:3023)
by 0x40858B: port_destroy (bridge.c:4087)
by 0x40BD04: bridge_destroy (bridge.c:3266)
by 0x410528: bridge_exit (bridge.c:506)
by 0x4072EE: main (ovs-vswitchd.c:135)
Block was alloc'd at
at 0x4C2DB8F: malloc (/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x516C04: xmalloc (util.c:120)
by 0x414FD1: bond_entry_reset (bond.c:1651)
by 0x414FD1: bond_reconfigure (bond.c:470)
by 0x41507D: bond_create (bond.c:245)
by 0x429D5D: bundle_set (ofproto-dpif.c:3194)
by 0x408AC8: port_configure (bridge.c:1052)
by 0x40CD87: bridge_reconfigure (bridge.c:682)
by 0x410775: bridge_run (bridge.c:2998)
by 0x407244: main (ovs-vswitchd.c:119)
Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Tested-by: Greg Rose <gvrose8192@gmail.com>
Reviewed-by: Greg Rose <gvrose8192@gmail.com>
| -rw-r--r-- | ofproto/bond.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/ofproto/bond.c b/ofproto/bond.c index da35796aa..ce65449b6 100644 --- a/ofproto/bond.c +++ b/ofproto/bond.c @@ -386,7 +386,9 @@ update_recirc_rules(struct bond *bond) } hmap_remove(&bond->pr_rule_ops, &pr_op->hmap_node); - *pr_op->pr_rule = NULL; + if (bond->hash) { + *pr_op->pr_rule = NULL; + } free(pr_op); break; } |