diff options
author | Ben Pfaff <blp@ovn.org> | 2016-08-19 08:34:55 -0700 |
---|---|---|
committer | Ben Pfaff <blp@ovn.org> | 2016-08-19 16:31:15 -0700 |
commit | 02d1f722d4ade7f61bd99648971ee79f0df318da (patch) | |
tree | 7c6229618ee554b79bb4a6771948a1e9317c034b | |
parent | b4c632526b684db5a122da6663f4ef25c9e1df12 (diff) | |
download | openvswitch-02d1f722d4ade7f61bd99648971ee79f0df318da.tar.gz |
pinctrl: Fix memory leak and use-after-free for NAT IPs in send_garp_run().
send_garp_run() allocated and populated a shash of struct lport_addresses,
but it only freed some of the data. This fixes the problem.
Of the data that send_garp_run() did free, it freed some of it too early,
possibly leading to a use-after-free error.
CC: Chandra S Vejendla <csvejend@us.ibm.com>
Reported-by: Ramu Ramamurthy <ramu.ramamurthy@gmail.com>
Fixes: 8439c2ebd823 ("ovn: Support for GARP for NAT IPs via localnet")
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Justin Pettit <jpettit@ovn.org>
-rw-r--r-- | ovn/controller/pinctrl.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/ovn/controller/pinctrl.c b/ovn/controller/pinctrl.c index 358602a5a..27374676f 100644 --- a/ovn/controller/pinctrl.c +++ b/ovn/controller/pinctrl.c @@ -1059,7 +1059,6 @@ send_garp_update(const struct sbrec_port_binding *binding_rec, } free(name); } - destroy_lport_addresses(laddrs); return; } @@ -1302,7 +1301,15 @@ send_garp_run(const struct ovsrec_bridge *br_int, const char *chassis_id, sset_destroy(&localnet_vifs); sset_destroy(&local_l3gw_ports); simap_destroy(&localnet_ofports); - shash_destroy_free_data(&nat_addresses); + + SHASH_FOR_EACH_SAFE (iter, next, &nat_addresses) { + struct lport_addresses *laddrs = iter->data; + destroy_lport_addresses(laddrs); + shash_delete(&nat_addresses, iter); + free(laddrs); + } + shash_destroy(&nat_addresses); + sset_destroy(&nat_ip_keys); } |