From 12804888e56f6551825f0864e374eb5bac427147 Mon Sep 17 00:00:00 2001
From: Ethan Jackson <ethan@nicira.com>
Date: Thu, 7 Jun 2012 13:05:41 -0700
Subject: [PATCH] ofproto: Fix use after free in ofoperation_complete().

In one edge case, ofoperation_complete() destroys its rule, without
updating its ofoperation that the rule is gone.  Later in the same
function, ofoperation_destroy() attempts to modify the rule which
already destroyed.

Bug #11797.
Signed-off-by: Ethan Jackson <ethan@nicira.com>
---
 ofproto/ofproto.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ofproto/ofproto.c b/ofproto/ofproto.c
index 0c24314f..eed04587 100644
--- a/ofproto/ofproto.c
+++ b/ofproto/ofproto.c
@@ -3617,6 +3617,7 @@ ofoperation_complete(struct ofoperation *op, enum ofperr error)
         } else {
             oftable_substitute_rule(rule, op->victim);
             ofproto_rule_destroy__(rule);
+            op->rule = NULL;
         }
         break;
 
-- 
2.30.2