ovsdb-idl: Fix use-after-free error in ovsdb_idl_txn_delete().

[openvswitch] / lib / jsonrpc.c

diff --git a/lib/jsonrpc.c b/lib/jsonrpc.c
index aeb1dd8245fa77b14562b986472ab55fc1d1ea4a..562a2870056956edfb8b4e46535e929eb1a9e3a8 100644 (file)
--- a/lib/jsonrpc.c
+++ b/lib/jsonrpc.c
@@ -172,6 +172,7 @@ jsonrpc_log_msg(const struct jsonrpc *rpc, const char *title,
     }
 }
 
+/* Always takes ownership of 'msg', regardless of success. */
 int
 jsonrpc_send(struct jsonrpc *rpc, struct jsonrpc_msg *msg)
 {
@@ -268,6 +269,7 @@ jsonrpc_recv_wait(struct jsonrpc *rpc)
     }
 }
 
+/* Always takes ownership of 'msg', regardless of success. */
 int
 jsonrpc_send_block(struct jsonrpc *rpc, struct jsonrpc_msg *msg)
 {
@@ -278,12 +280,14 @@ jsonrpc_send_block(struct jsonrpc *rpc, struct jsonrpc_msg *msg)
         return error;
     }
 
-    while (!queue_is_empty(&rpc->output) && !rpc->status) {
+    for (;;) {
         jsonrpc_run(rpc);
+        if (queue_is_empty(&rpc->output) || rpc->status) {
+            return rpc->status;
+        }
         jsonrpc_wait(rpc);
         poll_block();
     }
-    return rpc->status;
 }
 
 int
@@ -302,6 +306,7 @@ jsonrpc_recv_block(struct jsonrpc *rpc, struct jsonrpc_msg **msgp)
     }
 }
 
+/* Always takes ownership of 'request', regardless of success. */
 int
 jsonrpc_transact_block(struct jsonrpc *rpc, struct jsonrpc_msg *request,
                        struct jsonrpc_msg **replyp)
@@ -790,10 +795,16 @@ jsonrpc_session_get_name(const struct jsonrpc_session *s)
     return reconnect_get_name(s->reconnect);
 }
 
+/* Always takes ownership of 'msg', regardless of success. */
 int
 jsonrpc_session_send(struct jsonrpc_session *s, struct jsonrpc_msg *msg)
 {
-    return s->rpc ? jsonrpc_send(s->rpc, msg) : ENOTCONN;
+    if (s->rpc) {
+        return jsonrpc_send(s->rpc, msg);
+    } else {
+        jsonrpc_msg_destroy(msg);
+        return ENOTCONN;
+    }
 }
 
 struct jsonrpc_msg *