Re: [ovs-dev] [PATCH] netdev-dummy: fix crash with more than one passive connection

Sat, 23 Jul 2016 05:54:07 -0700 

----- Original Message -----
> From: "Ben Pfaff" <b...@ovn.org>
> To: "Lance Richardson" <lrich...@redhat.com>
> Cc: dev@openvswitch.org
> Sent: Friday, July 22, 2016 6:16:59 PM
> Subject: Re: [ovs-dev] [PATCH] netdev-dummy: fix crash with more than one 
> passive connection
> 
> On Wed, Jul 06, 2016 at 07:39:52PM -0400, Lance Richardson wrote:
> > Investigation found that Some of the occasional failures in the
> > "ovn -- vtep: 3 HVs, 1 VIFs/HV, 1 GW, 1 LS" test case are caused
> > by ovs-vswitchd crashing with SIGSEGV. It turns out that the
> > crash occurrs when the number of netdev-dummy passive connections
> > transitions from 1 to 2.  When xrealloc() copies the array of
> > dummy_packet_stream structures from the original buffer to a
> > newly allocated one, the struct ovs_list txq member of the structure
> > becomes corrupt (e.g. if ovs_list_is_empty() would have returned
> > false before the copy, it will return true after the copy, which
> > will lead to a crash when the bogus packet buffer on the list is
> > dereferenced).
> > 
> > Fix by taking a hint from David Wheeler and adding a level of
> > indirection.
> > 
> > Signed-off-by: Lance Richardson <lrich...@redhat.com>
> 
> Thanks for the fix!  I applied this.
> 
> I spotted what looks like another bug and fixed it by folding in the
> following.  If you think it's wrong, please let me know.
> 
> diff --git a/lib/netdev-dummy.c b/lib/netdev-dummy.c
> index b16c9c6..2e7b7e9 100644
> --- a/lib/netdev-dummy.c
> +++ b/lib/netdev-dummy.c
> @@ -459,7 +459,7 @@ dummy_pconn_run(struct netdev_dummy *dev)
>          dev->conn.type = NONE;
>      }
>  
> -    for (i = 0; i < pconn->n_streams; i++) {
> +    for (i = 0; i < pconn->n_streams; ) {
>          struct dummy_packet_stream *s = pconn->streams[i];
>  
>          error = dummy_packet_stream_run(dev, s);
> @@ -470,6 +470,8 @@ dummy_pconn_run(struct netdev_dummy *dev)
>              dummy_packet_stream_close(s);
>              free(s);
>              pconn->streams[i] = pconn->streams[--pconn->n_streams];
> +        } else {
> +            i++;
>          }
>      }
>  }
> 

Well spotted, LGTM.

Thanks,

   Lance
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev

Reply via email to