On Fri, Aug 19, 2016 at 11:34:04AM -0700, Justin Pettit wrote:
>
> > On Aug 19, 2016, at 9:03 AM, Ben Pfaff <b...@ovn.org> wrote:
> >
> > send_garp_run() allocated and populated a shash of struct lport_addresses,
> > but it only freed some of the data. This fixes the problem.
> >
> > CC: Chandra S Vejendla <csvej...@us.ibm.com>
> > Reported-by: Ramu Ramamurthy <ramu.ramamur...@gmail.com>
> > Fixes: 8439c2ebd823 ("ovn: Support for GARP for NAT IPs via localnet")
> > Signed-off-by: Ben Pfaff <b...@ovn.org>
>
> I think this may fix a possible use-after-free problem with "nat_addresses",
> too. There are two separate calls to send_garp_update() in send_garp_run()
> that take "nat_addresses" as an argument. If "laddrs" is used in the first
> call, the data is freed, but the data pointer still exists in
> "nat_addresses". It's possible that a second call could then try to
> dereference the pointer value that's there. I didn't look closely enough at
> the code to see if something makes sure that both calls can never reference
> the same entry, though.
>
> Acked-by: Justin Pettit <jpet...@ovn.org>
Thanks, I added a note about the possible use-after-free.
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
