diff options
| author | Ben Pfaff <blp@nicira.com> | 2012-03-19 13:47:50 -0700 |
|---|---|---|
| committer | Ben Pfaff <blp@nicira.com> | 2012-03-19 13:48:24 -0700 |
| commit | f486e8405a13667e63765d804dd0ef96f38228c8 (patch) | |
| tree | 982629e840f066316d87be33324f7b531df50abc /lib/netdev-provider.h | |
| parent | 6e037e3ca6381fa36fdf6009c4ccc97d0f041be4 (diff) | |
netdev-linux: Fix use-after-free when netdev_dump_queues() deletes queues.
iface_configure_qos() passes a callback to netdev_dump_queues() that can
delete queues. The netdev-linux implementation of this function was
unprepared for the callback to delete queues, so this could cause a
use-after-free. This fixes the problem in netdev_linux_dump_queues() and
documents that netdev_dump_queues() implementations must support deletions
in the callback.
Found by valgrind:
==1593== Invalid read of size 8
==1593== at 0x4A8C43: netdev_linux_dump_queues (hmap.h:326)
==1593== by 0x4305F7: bridge_reconfigure (bridge.c:3084)
==1593== by 0x431384: bridge_run (bridge.c:1892)
==1593== by 0x432749: main (ovs-vswitchd.c:96)
==1593== Address 0x632e078 is 8 bytes inside a block of size 32 free'd
==1593== at 0x4C240FD: free (vg_replace_malloc.c:366)
==1593== by 0x4A4D74: hfsc_class_delete (netdev-linux.c:3250)
==1593== by 0x42AA59: iface_delete_queues (bridge.c:3055)
==1593== by 0x4A8C8C: netdev_linux_dump_queues (netdev-linux.c:1881)
==1593== by 0x4305F7: bridge_reconfigure (bridge.c:3084)
==1593== by 0x431384: bridge_run (bridge.c:1892)
Bug #10164.
Reported-by: Ram Jothikumar <ram@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Diffstat (limited to 'lib/netdev-provider.h')
| -rw-r--r-- | lib/netdev-provider.h | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/lib/netdev-provider.h b/lib/netdev-provider.h index 2ef75b30..dea171db 100644 --- a/lib/netdev-provider.h +++ b/lib/netdev-provider.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2009, 2010, 2011 Nicira Networks. + * Copyright (c) 2009, 2010, 2011, 2012 Nicira Networks. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -464,7 +464,12 @@ struct netdev_class { * of iteration is unspecified, but (when successful) each queue is visited * exactly once. * - * 'cb' will not modify or free the 'details' argument passed in. */ + * 'cb' will not modify or free the 'details' argument passed in. It may + * delete or modify the queue passed in as its 'queue_id' argument. It may + * modify but will not delete any other queue within 'netdev'. If 'cb' + * adds new queues, then ->dump_queues is allowed to visit some queues + * twice or not at all. + */ int (*dump_queues)(const struct netdev *netdev, void (*cb)(unsigned int queue_id, const struct shash *details, |