ovsdb-idl: Fix use-after-free when destroying an IDL loop.

Transactions that are still incomplete (waiting for a reply from the server) are kept in the IDL's 'outstanding_txns' map. When a transaction is destroyed, ovsdb_idl_txn_destroy() will take care of removing the transaction from the 'outstanding_txns' map if the transaction was incomplete but also abort it and disassemble it if needed. Aborting the transaction first, before ovsdb_idl_txn_destroy(), may cause an use-after-free if the transaction was outstanding; that's because the transaction would move to state "aborted" without being removed from the 'outstanding_txns' map. Fixes: 53a540e ("ovsdb-idl: ovsdb_idl_loop_destroy must also destroy the committing txn.") Signed-off-by: Dumitru Ceara <[email protected]> Signed-off-by: Ilya Maximets <[email protected]>
Dragmaf93 · Feb 16, 2022 · 4628be9 · 4628be9
1 parent 31dc72c
commit 4628be9
Showing 1 changed file with 0 additions and 1 deletion.
diff --git a/lib/ovsdb-idl.c b/lib/ovsdb-idl.c
@@ -4243,7 +4243,6 @@ ovsdb_idl_loop_destroy(struct ovsdb_idl_loop *loop)
 {
     if (loop) {
         if (loop->committing_txn) {
-            ovsdb_idl_txn_abort(loop->committing_txn);
             ovsdb_idl_txn_destroy(loop->committing_txn);
         }
         ovsdb_idl_destroy(loop->idl);