diff options
author | Lance Richardson <lrichard@redhat.com> | 2017-07-08 17:31:15 -0400 |
---|---|---|
committer | Ben Pfaff <blp@ovn.org> | 2017-07-11 22:04:42 -0700 |
commit | 371a74df104224d5adc3539ae285fd1374473a5d (patch) | |
tree | 54258a8e2f32df43125ddf3d1893cd7364f42652 /ovn/controller | |
parent | ab9dfacad329c005e72e6e0e63589a7a0171e7a4 (diff) | |
download | openvswitch-371a74df104224d5adc3539ae285fd1374473a5d.tar.gz |
ovn-controller: fix use-after-free in physical_run()
The hmap "tunnels" is persistent across IDL loop iterations, but
stores pointers to strings in the local db replica which can be
freed as database updates are processed. Fix by storing a copy
of the string in the hmap instead of a pointer to the string in
the replica.
Found via valgrind.
Fixes: 40128e371ec3 ("physical: Refactor port binding processing.")
Signed-off-by: Lance Richardson <lrichard@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Diffstat (limited to 'ovn/controller')
-rw-r--r-- | ovn/controller/physical.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/ovn/controller/physical.c b/ovn/controller/physical.c index f2d9676a5..4f0011f73 100644 --- a/ovn/controller/physical.c +++ b/ovn/controller/physical.c @@ -64,7 +64,7 @@ static struct hmap tunnels = HMAP_INITIALIZER(&tunnels); * used to reach that chassis. */ struct chassis_tunnel { struct hmap_node hmap_node; - const char *chassis_id; + char *chassis_id; ofp_port_t ofport; enum chassis_tunnel_type type; }; @@ -849,7 +849,7 @@ physical_run(struct controller_ctx *ctx, enum mf_field_id mff_ovn_geneve, tun = xmalloc(sizeof *tun); hmap_insert(&tunnels, &tun->hmap_node, hash_string(chassis_id, 0)); - tun->chassis_id = chassis_id; + tun->chassis_id = xstrdup(chassis_id); tun->ofport = u16_to_ofp(ofport); tun->type = tunnel_type; physical_map_changed = true; @@ -871,6 +871,7 @@ physical_run(struct controller_ctx *ctx, enum mf_field_id mff_ovn_geneve, if (!simap_find(&new_tunnel_to_ofport, tun->chassis_id)) { hmap_remove(&tunnels, &tun->hmap_node); physical_map_changed = true; + free(tun->chassis_id); free(tun); } } |