diff options
author | Ben Pfaff <blp@nicira.com> | 2012-03-19 13:47:50 -0700 |
---|---|---|
committer | Ben Pfaff <blp@nicira.com> | 2012-03-19 13:48:24 -0700 |
commit | f486e8405a13667e63765d804dd0ef96f38228c8 (patch) | |
tree | 982629e840f066316d87be33324f7b531df50abc /lib/netdev.c | |
parent | 6e037e3ca6381fa36fdf6009c4ccc97d0f041be4 (diff) |
netdev-linux: Fix use-after-free when netdev_dump_queues() deletes queues.
iface_configure_qos() passes a callback to netdev_dump_queues() that can
delete queues. The netdev-linux implementation of this function was
unprepared for the callback to delete queues, so this could cause a
use-after-free. This fixes the problem in netdev_linux_dump_queues() and
documents that netdev_dump_queues() implementations must support deletions
in the callback.
Found by valgrind:
==1593== Invalid read of size 8
==1593== at 0x4A8C43: netdev_linux_dump_queues (hmap.h:326)
==1593== by 0x4305F7: bridge_reconfigure (bridge.c:3084)
==1593== by 0x431384: bridge_run (bridge.c:1892)
==1593== by 0x432749: main (ovs-vswitchd.c:96)
==1593== Address 0x632e078 is 8 bytes inside a block of size 32 free'd
==1593== at 0x4C240FD: free (vg_replace_malloc.c:366)
==1593== by 0x4A4D74: hfsc_class_delete (netdev-linux.c:3250)
==1593== by 0x42AA59: iface_delete_queues (bridge.c:3055)
==1593== by 0x4A8C8C: netdev_linux_dump_queues (netdev-linux.c:1881)
==1593== by 0x4305F7: bridge_reconfigure (bridge.c:3084)
==1593== by 0x431384: bridge_run (bridge.c:1892)
Bug #10164.
Reported-by: Ram Jothikumar <ram@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Diffstat (limited to 'lib/netdev.c')
-rw-r--r-- | lib/netdev.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/lib/netdev.c b/lib/netdev.c index 5aa30a7a..305ad13f 100644 --- a/lib/netdev.c +++ b/lib/netdev.c @@ -1235,7 +1235,11 @@ netdev_get_queue_stats(const struct netdev *netdev, unsigned int queue_id, * Calling this function may be more efficient than calling netdev_get_queue() * for every queue. * - * 'cb' must not modify or free the 'details' argument passed in. + * 'cb' must not modify or free the 'details' argument passed in. It may + * delete or modify the queue passed in as its 'queue_id' argument. It may + * modify but must not delete any other queue within 'netdev'. 'cb' should not + * add new queues because this may cause some queues to be visited twice or not + * at all. * * Returns 0 if successful, otherwise a positive errno value. On error, some * configured queues may not have been included in the iteration. */ |