pinctrl: Fix memory leak and use-after-free for NAT IPs in send_garp_run().

send_garp_run() allocated and populated a shash of struct lport_addresses,
but it only freed some of the data.  This fixes the problem.

Of the data that send_garp_run() did free, it freed some of it too early,
possibly leading to a use-after-free error.

CC: Chandra S Vejendla <csvejend@us.ibm.com>
Reported-by: Ramu Ramamurthy <ramu.ramamurthy@gmail.com>
Fixes: 8439c2ebd823 ("ovn: Support for GARP for NAT IPs via localnet")
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Justin Pettit <jpettit@ovn.org>

1 files changed, 9 insertions, 2 deletions

diff --git a/ovn/controller/pinctrl.c b/ovn/controller/pinctrl.c
index 358602a5a..27374676f 100644
--- a/ovn/controller/pinctrl.c
+++ b/ovn/controller/pinctrl.c
@@ -1059,7 +1059,6 @@ send_garp_update(const struct sbrec_port_binding *binding_rec,
             }
             free(name);
         }
-        destroy_lport_addresses(laddrs);
         return;
     }
 
@@ -1302,7 +1301,15 @@ send_garp_run(const struct ovsrec_bridge *br_int, const char *chassis_id,
     sset_destroy(&localnet_vifs);
     sset_destroy(&local_l3gw_ports);
     simap_destroy(&localnet_ofports);
-    shash_destroy_free_data(&nat_addresses);
+
+    SHASH_FOR_EACH_SAFE (iter, next, &nat_addresses) {
+        struct lport_addresses *laddrs = iter->data;
+        destroy_lport_addresses(laddrs);
+        shash_delete(&nat_addresses, iter);
+        free(laddrs);
+    }
+    shash_destroy(&nat_addresses);
+
     sset_destroy(&nat_ip_keys);
 }