diff mbox series

[ovs-dev,ovn] extend-table: Fix use after free in ovn_extend_table_clear.

Message ID 1581589957-30098-1-git-send-email-dceara@redhat.com
State Accepted
Headers show
Series [ovs-dev,ovn] extend-table: Fix use after free in ovn_extend_table_clear. | expand

Commit Message

Dumitru Ceara Feb. 13, 2020, 10:32 a.m. UTC 
CC: Han Zhou <hzhou@ovn.org>
Fixes: d5001334f0f6 ("extend-table: Fix reusing group/meter by multiple logical flows.")
Reported-by: Ben Pfaff <blp@ovn.org>
Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2020-February/367647.html
Signed-off-by: Dumitru Ceara <dceara@redhat.com>
---
 lib/extend-table.c | 38 ++++++++++++++++++++++++--------------
 1 file changed, 24 insertions(+), 14 deletions(-)

Comments

Ben Pfaff Feb. 13, 2020, 7:23 p.m. UTC | #1 
On Thu, Feb 13, 2020 at 11:32:37AM +0100, Dumitru Ceara wrote:
> CC: Han Zhou <hzhou@ovn.org>
> Fixes: d5001334f0f6 ("extend-table: Fix reusing group/meter by multiple logical flows.")
> Reported-by: Ben Pfaff <blp@ovn.org>
> Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2020-February/367647.html
> Signed-off-by: Dumitru Ceara <dceara@redhat.com>

Thanks.  Applied to master.
Dumitru Ceara Feb. 13, 2020, 7:35 p.m. UTC | #2 
On 2/13/20 8:23 PM, Ben Pfaff wrote:
> On Thu, Feb 13, 2020 at 11:32:37AM +0100, Dumitru Ceara wrote:
>> CC: Han Zhou <hzhou@ovn.org>
>> Fixes: d5001334f0f6 ("extend-table: Fix reusing group/meter by multiple logical flows.")
>> Reported-by: Ben Pfaff <blp@ovn.org>
>> Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2020-February/367647.html
>> Signed-off-by: Dumitru Ceara <dceara@redhat.com>
> 
> Thanks.  Applied to master.
> 

Thanks Ben!

Sorry, I forgot to mention, this should be applied to branch-20.03 as well.

Regards,
Dumitru
Han Zhou Feb. 13, 2020, 8:18 p.m. UTC | #3 
On Thu, Feb 13, 2020 at 11:35 AM Dumitru Ceara <dceara@redhat.com> wrote:
>
> On 2/13/20 8:23 PM, Ben Pfaff wrote:
> > On Thu, Feb 13, 2020 at 11:32:37AM +0100, Dumitru Ceara wrote:
> >> CC: Han Zhou <hzhou@ovn.org>
> >> Fixes: d5001334f0f6 ("extend-table: Fix reusing group/meter by
multiple logical flows.")
> >> Reported-by: Ben Pfaff <blp@ovn.org>
> >> Reported-at:
https://mail.openvswitch.org/pipermail/ovs-dev/2020-February/367647.html
> >> Signed-off-by: Dumitru Ceara <dceara@redhat.com>
> >
> > Thanks.  Applied to master.
> >
>
> Thanks Ben!
>
> Sorry, I forgot to mention, this should be applied to branch-20.03 as
well.
>
> Regards,
> Dumitru
>

Thanks Dumitru! Good catch!
Would you mind sending a patch for branch-2.12 as well?
Ben Pfaff Feb. 13, 2020, 9:33 p.m. UTC | #4 
On Thu, Feb 13, 2020 at 08:35:46PM +0100, Dumitru Ceara wrote:
> On 2/13/20 8:23 PM, Ben Pfaff wrote:
> > On Thu, Feb 13, 2020 at 11:32:37AM +0100, Dumitru Ceara wrote:
> >> CC: Han Zhou <hzhou@ovn.org>
> >> Fixes: d5001334f0f6 ("extend-table: Fix reusing group/meter by multiple logical flows.")
> >> Reported-by: Ben Pfaff <blp@ovn.org>
> >> Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2020-February/367647.html
> >> Signed-off-by: Dumitru Ceara <dceara@redhat.com>
> > 
> > Thanks.  Applied to master.
> > 
> 
> Thanks Ben!
> 
> Sorry, I forgot to mention, this should be applied to branch-20.03 as well.

Done.
Dumitru Ceara Feb. 14, 2020, 8:12 a.m. UTC | #5 
On 2/13/20 9:18 PM, Han Zhou wrote:
> 
> 
> On Thu, Feb 13, 2020 at 11:35 AM Dumitru Ceara <dceara@redhat.com
> <mailto:dceara@redhat.com>> wrote:
>>
>> On 2/13/20 8:23 PM, Ben Pfaff wrote:
>> > On Thu, Feb 13, 2020 at 11:32:37AM +0100, Dumitru Ceara wrote:
>> >> CC: Han Zhou <hzhou@ovn.org <mailto:hzhou@ovn.org>>
>> >> Fixes: d5001334f0f6 ("extend-table: Fix reusing group/meter by
> multiple logical flows.")
>> >> Reported-by: Ben Pfaff <blp@ovn.org <mailto:blp@ovn.org>>
>> >> Reported-at:
> https://mail.openvswitch.org/pipermail/ovs-dev/2020-February/367647.html
>> >> Signed-off-by: Dumitru Ceara <dceara@redhat.com
> <mailto:dceara@redhat.com>>
>> >
>> > Thanks.  Applied to master.
>> >
>>
>> Thanks Ben!
>>
>> Sorry, I forgot to mention, this should be applied to branch-20.03 as
> well.
>>
>> Regards,
>> Dumitru
>>
> 
> Thanks Dumitru! Good catch!
> Would you mind sending a patch for branch-2.12 as well?

Sure, will do.

Regards,
Dumitru
diff mbox series

Patch

diff --git a/lib/extend-table.c b/lib/extend-table.c
index b102e44..c708e24 100644
--- a/lib/extend-table.c
+++ b/lib/extend-table.c
@@ -25,6 +25,10 @@ 
 
 VLOG_DEFINE_THIS_MODULE(extend_table);
 
+static void
+ovn_extend_table_delete_desired(struct ovn_extend_table *table,
+                                struct ovn_extend_table_lflow_to_desired *l);
+
 void
 ovn_extend_table_init(struct ovn_extend_table *table)
 {
@@ -173,8 +177,7 @@  ovn_extend_table_clear(struct ovn_extend_table *table, bool existing)
     if (!existing) {
         struct ovn_extend_table_lflow_to_desired *l, *l_next;
         HMAP_FOR_EACH_SAFE (l, l_next, hmap_node, &table->lflow_to_desired) {
-            hmap_remove(&table->lflow_to_desired, &l->hmap_node);
-            free(l);
+            ovn_extend_table_delete_desired(table, l);
         }
     }
 
@@ -214,18 +217,10 @@  ovn_extend_table_remove_existing(struct ovn_extend_table *table,
     ovn_extend_table_info_destroy(existing);
 }
 
-/* Remove entries in desired table that are created by the lflow_uuid */
-void
-ovn_extend_table_remove_desired(struct ovn_extend_table *table,
-                                const struct uuid *lflow_uuid)
+static void
+ovn_extend_table_delete_desired(struct ovn_extend_table *table,
+                                struct ovn_extend_table_lflow_to_desired *l)
 {
-    struct ovn_extend_table_lflow_to_desired *l =
-        ovn_extend_table_find_desired_by_lflow(table, lflow_uuid);
-
-    if (!l) {
-        return;
-    }
-
     hmap_remove(&table->lflow_to_desired, &l->hmap_node);
     struct ovn_extend_table_lflow_ref *r, *next_r;
     LIST_FOR_EACH_SAFE (r, next_r, list_node, &l->desired) {
@@ -233,7 +228,7 @@  ovn_extend_table_remove_desired(struct ovn_extend_table *table,
         ovn_extend_info_del_lflow_ref(r);
         if (hmap_is_empty(&e->references)) {
             VLOG_DBG("%s: %s, "UUID_FMT, __func__,
-                     e->name, UUID_ARGS(lflow_uuid));
+                     e->name, UUID_ARGS(&l->lflow_uuid));
             hmap_remove(&table->desired, &e->hmap_node);
             if (e->new_table_id) {
                 bitmap_set0(table->table_ids, e->table_id);
@@ -244,6 +239,21 @@  ovn_extend_table_remove_desired(struct ovn_extend_table *table,
     free(l);
 }
 
+/* Remove entries in desired table that are created by the lflow_uuid */
+void
+ovn_extend_table_remove_desired(struct ovn_extend_table *table,
+                                const struct uuid *lflow_uuid)
+{
+    struct ovn_extend_table_lflow_to_desired *l =
+        ovn_extend_table_find_desired_by_lflow(table, lflow_uuid);
+
+    if (!l) {
+        return;
+    }
+
+    ovn_extend_table_delete_desired(table, l);
+}
+
 static struct ovn_extend_table_info*
 ovn_extend_info_clone(struct ovn_extend_table_info *source)
 {