collect_rules_strict() and collect_rules_loose() destroy the rule
collections that they create if they return an error, and some of their
callers then go on to destroy them again. This could cause a double-free
in the case where rule_collection_destroy() actually calls free(). That
never happens in the current tree, because free() is only necessary if
malloc() was called and there's a 64-entry stub that none of the current
code in collect_rules_*() can fill up in their error cases. Still, it
seems better to fix the problem.
Found by clang-analyzer.
Signed-off-by: Ben Pfaff <b...@nicira.com>
---
ofproto/ofproto.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/ofproto/ofproto.c b/ofproto/ofproto.c
index a1f73c0..6d0c608 100644
--- a/ofproto/ofproto.c
+++ b/ofproto/ofproto.c
@@ -3420,6 +3420,9 @@ rule_collection_destroy(struct rule_collection *rules)
if (rules->rules != rules->stub) {
free(rules->rules);
}
+
+ /* Make repeated destruction harmless. */
+ rule_collection_init(rules);
}
/* Checks whether 'rule' matches 'c' and, if so, adds it to 'rules'. This
--
1.7.10.4
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
