From: Ethan Jackson <ethan@nicira.com>
Date: Thu, 7 Jun 2012 20:05:41 +0000 (-0700)
Subject: ofproto: Fix use after free in ofoperation_complete().
X-Git-Url: https://pintos-os.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=12804888e56f6551825f0864e374eb5bac427147;p=openvswitch

ofproto: Fix use after free in ofoperation_complete().

In one edge case, ofoperation_complete() destroys its rule, without
updating its ofoperation that the rule is gone.  Later in the same
function, ofoperation_destroy() attempts to modify the rule which
already destroyed.

Bug #11797.
Signed-off-by: Ethan Jackson <ethan@nicira.com>
---

diff --git a/ofproto/ofproto.c b/ofproto/ofproto.c
index 0c24314f..eed04587 100644
--- a/ofproto/ofproto.c
+++ b/ofproto/ofproto.c
@@ -3617,6 +3617,7 @@ ofoperation_complete(struct ofoperation *op, enum ofperr error)
         } else {
             oftable_substitute_rule(rule, op->victim);
             ofproto_rule_destroy__(rule);
+            op->rule = NULL;
         }
         break;