ofproto-dpif-upcall: Avoid use-after-free in revalidate() corner cases.

The loop in revalidate() needs to ensure that any data obtained from dpif_flow_dump_next() is used before it is destroyed, as indicated by dpif_flow_dump_next_may_destroy_keys(). In the common case, where processing reaches the end of the main "while" loop, it does this, but in two corner cases the code in the loop execute "continue;", which skipped the check. This commit fixes the problem. Bug #1249988. Signed-off-by: Ben Pfaff <blp@nicira.com> Acked-by: Joe Stringer <joestringer@nicira.com>
2025-08-31 14:25:26 +00:00 · 2014-05-15 15:52:17 -07:00
parent fbf4f74d8f
commit a6ce4b9d25
1 changed files with 3 additions and 2 deletions
--- a/ofproto/ofproto-dpif-upcall.c
+++ b/ofproto/ofproto-dpif-upcall.c
@@ -1470,7 +1470,7 @@ revalidate(struct revalidator *revalidator)
                 * flow this time. */
                ovs_mutex_unlock(&ukey->mutex);
                COVERAGE_INC(upcall_duplicate_flow);
-                continue;
+                goto next;
            }

            used = ukey->created;
@@ -1493,7 +1493,7 @@ revalidate(struct revalidator *revalidator)
                     * another revalidator is processing this flow
                     * concurrently, so don't bother processing it. */
                    ukey_delete(NULL, ukey);
-                    continue;
+                    goto next;
                }
            }

@@ -1511,6 +1511,7 @@ revalidate(struct revalidator *revalidator)
            dump_op_init(&ops[n_ops++], key, key_len, ukey);
        }

+    next:
        may_destroy = dpif_flow_dump_next_may_destroy_keys(&udpif->dump,
                                                           state);