From 7c70698f0134fe1dee756e468a095ddd6366a7d5 Mon Sep 17 00:00:00 2001 From: Ben Pfaff Date: Fri, 9 Dec 2011 15:57:55 -0800 Subject: [PATCH] bridge: Avoid use-after-free with VLAN splinters and multiple bridges. The VLAN splinters feature uses a "pool" to track and free allocated blocks. There's only one pool, but the implementation was freeing all of the blocks in it for every bridge during reconfiguration, not just once for each reconfiguration, so caused a use-after-free when there was more than one bridge and a bridge other than the last one in the list of bridges had a VLAN splinter port. Bug #8671. Reported-by: Michael Mao Signed-off-by: Ben Pfaff --- vswitchd/bridge.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/vswitchd/bridge.c b/vswitchd/bridge.c index f79b69cd..adf01f7f 100644 --- a/vswitchd/bridge.c +++ b/vswitchd/bridge.c @@ -3405,6 +3405,10 @@ collect_splinter_vlans(const struct ovsrec_open_vswitch *ovs_cfg) struct bridge *br; size_t i; + /* Free space allocated for synthesized ports and interfaces, since we're + * in the process of reconstructing all of them. */ + free_registered_blocks(); + splinter_vlans = NULL; sset_init(&splinter_ifaces); for (i = 0; i < ovs_cfg->n_bridges; i++) { @@ -3572,8 +3576,6 @@ add_vlan_splinter_ports(struct bridge *br, { size_t i; - free_registered_blocks(); - /* We iterate through 'br->cfg->ports' instead of 'ports' here because * we're modifying 'ports'. */ for (i = 0; i < br->cfg->n_ports; i++) { -- 2.30.2