[ovs-dev,branch-2.12] extend-table: Fix use after free in ovn_extend_table_clear.
diff mbox series

Message ID 1581668517-10256-1-git-send-email-dceara@redhat.com
State Accepted
Headers show
Series
  • [ovs-dev,branch-2.12] extend-table: Fix use after free in ovn_extend_table_clear.
Related show

Commit Message

Dumitru Ceara Feb. 14, 2020, 8:21 a.m. UTC
CC: Han Zhou <hzhou@ovn.org>
Fixes: d5001334f0f6 ("extend-table: Fix reusing group/meter by multiple logical flows.")
Reported-by: Ben Pfaff <blp@ovn.org>
Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2020-February/367647.html
Signed-off-by: Dumitru Ceara <dceara@redhat.com>

(cherry picked from ovn commit 22d9a6f35551e3078394d5f8849055f43638e0d1)
---
 ovn/lib/extend-table.c | 38 ++++++++++++++++++++++++--------------
 1 file changed, 24 insertions(+), 14 deletions(-)

Comments

Ben Pfaff Feb. 14, 2020, 5:51 p.m. UTC | #1
On Fri, Feb 14, 2020 at 09:21:57AM +0100, Dumitru Ceara wrote:
> CC: Han Zhou <hzhou@ovn.org>
> Fixes: d5001334f0f6 ("extend-table: Fix reusing group/meter by multiple logical flows.")
> Reported-by: Ben Pfaff <blp@ovn.org>
> Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2020-February/367647.html
> Signed-off-by: Dumitru Ceara <dceara@redhat.com>
> 
> (cherry picked from ovn commit 22d9a6f35551e3078394d5f8849055f43638e0d1)

Thanks, applied to branch-2.12.
Dumitru Ceara Feb. 17, 2020, 8:12 a.m. UTC | #2
On 2/14/20 6:51 PM, Ben Pfaff wrote:
> On Fri, Feb 14, 2020 at 09:21:57AM +0100, Dumitru Ceara wrote:
>> CC: Han Zhou <hzhou@ovn.org>
>> Fixes: d5001334f0f6 ("extend-table: Fix reusing group/meter by multiple logical flows.")
>> Reported-by: Ben Pfaff <blp@ovn.org>
>> Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2020-February/367647.html
>> Signed-off-by: Dumitru Ceara <dceara@redhat.com>
>>
>> (cherry picked from ovn commit 22d9a6f35551e3078394d5f8849055f43638e0d1)
> 
> Thanks, applied to branch-2.12.
> 

Thanks Ben!

Patch
diff mbox series

diff --git a/ovn/lib/extend-table.c b/ovn/lib/extend-table.c
index 18e16f7..95768f1 100644
--- a/ovn/lib/extend-table.c
+++ b/ovn/lib/extend-table.c
@@ -25,6 +25,10 @@ 
 
 VLOG_DEFINE_THIS_MODULE(extend_table);
 
+static void
+ovn_extend_table_delete_desired(struct ovn_extend_table *table,
+                                struct ovn_extend_table_lflow_to_desired *l);
+
 void
 ovn_extend_table_init(struct ovn_extend_table *table)
 {
@@ -173,8 +177,7 @@  ovn_extend_table_clear(struct ovn_extend_table *table, bool existing)
     if (!existing) {
         struct ovn_extend_table_lflow_to_desired *l, *l_next;
         HMAP_FOR_EACH_SAFE (l, l_next, hmap_node, &table->lflow_to_desired) {
-            hmap_remove(&table->lflow_to_desired, &l->hmap_node);
-            free(l);
+            ovn_extend_table_delete_desired(table, l);
         }
     }
 
@@ -214,18 +217,10 @@  ovn_extend_table_remove_existing(struct ovn_extend_table *table,
     ovn_extend_table_info_destroy(existing);
 }
 
-/* Remove entries in desired table that are created by the lflow_uuid */
-void
-ovn_extend_table_remove_desired(struct ovn_extend_table *table,
-                                const struct uuid *lflow_uuid)
+static void
+ovn_extend_table_delete_desired(struct ovn_extend_table *table,
+                                struct ovn_extend_table_lflow_to_desired *l)
 {
-    struct ovn_extend_table_lflow_to_desired *l =
-        ovn_extend_table_find_desired_by_lflow(table, lflow_uuid);
-
-    if (!l) {
-        return;
-    }
-
     hmap_remove(&table->lflow_to_desired, &l->hmap_node);
     struct ovn_extend_table_lflow_ref *r, *next_r;
     LIST_FOR_EACH_SAFE (r, next_r, list_node, &l->desired) {
@@ -233,7 +228,7 @@  ovn_extend_table_remove_desired(struct ovn_extend_table *table,
         ovn_extend_info_del_lflow_ref(r);
         if (hmap_is_empty(&e->references)) {
             VLOG_DBG("%s: %s, "UUID_FMT, __func__,
-                     e->name, UUID_ARGS(lflow_uuid));
+                     e->name, UUID_ARGS(&l->lflow_uuid));
             hmap_remove(&table->desired, &e->hmap_node);
             if (e->new_table_id) {
                 bitmap_set0(table->table_ids, e->table_id);
@@ -244,6 +239,21 @@  ovn_extend_table_remove_desired(struct ovn_extend_table *table,
     free(l);
 }
 
+/* Remove entries in desired table that are created by the lflow_uuid */
+void
+ovn_extend_table_remove_desired(struct ovn_extend_table *table,
+                                const struct uuid *lflow_uuid)
+{
+    struct ovn_extend_table_lflow_to_desired *l =
+        ovn_extend_table_find_desired_by_lflow(table, lflow_uuid);
+
+    if (!l) {
+        return;
+    }
+
+    ovn_extend_table_delete_desired(table, l);
+}
+
 static struct ovn_extend_table_info*
 ovn_extend_info_clone(struct ovn_extend_table_info *source)
 {