bridge: Avoid use-after-free with VLAN splinters and multiple bridges.

The VLAN splinters feature uses a "pool" to track and free allocated blocks. There's only one pool, but the implementation was freeing all of the blocks in it for every bridge during reconfiguration, not just once for each reconfiguration, so caused a use-after-free when there was more than one bridge and a bridge other than the last one in the list of bridges had a VLAN splinter port. Bug #8671. Reported-by: Michael Mao <[email protected]> Signed-off-by: Ben Pfaff <[email protected]>
nail-lian · Dec 10, 2011 · 7c70698 · 7c70698
1 parent d60a2b5
commit 7c70698
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/vswitchd/bridge.c b/vswitchd/bridge.c
@@ -3405,6 +3405,10 @@ collect_splinter_vlans(const struct ovsrec_open_vswitch *ovs_cfg)
     struct bridge *br;
     size_t i;
 
+    /* Free space allocated for synthesized ports and interfaces, since we're
+     * in the process of reconstructing all of them. */
+    free_registered_blocks();
+
     splinter_vlans = NULL;
     sset_init(&splinter_ifaces);
     for (i = 0; i < ovs_cfg->n_bridges; i++) {
@@ -3572,8 +3576,6 @@ add_vlan_splinter_ports(struct bridge *br,
 {
     size_t i;
 
-    free_registered_blocks();
-
     /* We iterate through 'br->cfg->ports' instead of 'ports' here because
      * we're modifying 'ports'. */
     for (i = 0; i < br->cfg->n_ports; i++) {