Commit 87400a3d4cc4a (dpif-netdev: Fix use-after-free in port_unref().)
fixed one use-after-free in the common case of port_unref(). However,
there was another, similar case: if port->netdev has no rxqs, then
the netdev_close() causes port->netdev to be destroyed and thus the
following call to netdev_n_rxq() accesses freed memory. This commit fixes
the problem.
Found by valgrind.
Signed-off-by: Ben Pfaff <b...@nicira.com>
---
lib/dpif-netdev.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/lib/dpif-netdev.c b/lib/dpif-netdev.c
index 91c83d6..112ebb1 100644
--- a/lib/dpif-netdev.c
+++ b/lib/dpif-netdev.c
@@ -820,13 +820,12 @@ port_ref(struct dp_netdev_port *port)
static void
port_destroy__(struct dp_netdev_port *port)
{
- int n_rxq;
+ int n_rxq = netdev_n_rxq(port->netdev);
int i;
netdev_close(port->netdev);
netdev_restore_flags(port->sf);
- n_rxq = netdev_n_rxq(port->netdev);
for (i = 0; i < n_rxq; i++) {
netdev_rxq_close(port->rxq[i]);
}
--
1.7.10.4
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
