From: Ben Pfaff Date: Wed, 27 May 2009 18:37:08 +0000 (-0700) Subject: datapath: Avoid double-free on skb_clone failure in ODPAT_OUTPUT_GROUP. X-Git-Url: https://pintos-os.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d4f8946230392eaeb837f19ff5ada352ee6d192f;p=openvswitch datapath: Avoid double-free on skb_clone failure in ODPAT_OUTPUT_GROUP. output_group() has no business freeing the skb passed into it, but it was doing so in case of allocation failure. Since execute_actions() would also later free it, this was a serious error. Thanks to Justin for pointing out the problem. --- diff --git a/datapath/actions.c b/datapath/actions.c index 6bbb9f99..d9b92f1d 100644 --- a/datapath/actions.c +++ b/datapath/actions.c @@ -313,6 +313,8 @@ error: kfree_skb(skb); } +/* Never consumes 'skb'. Returns a port that 'skb' should be sent to, -1 if + * none. */ static int output_group(struct datapath *dp, __u16 group, struct sk_buff *skb, gfp_t gfp) { @@ -328,10 +330,8 @@ static int output_group(struct datapath *dp, __u16 group, continue; if (prev_port != -1) { struct sk_buff *clone = skb_clone(skb, gfp); - if (!clone) { - kfree_skb(skb); + if (!clone) return -1; - } do_output(dp, clone, prev_port); } prev_port = p->port_no;