> On Aug 19, 2016, at 9:03 AM, Ben Pfaff <[email protected]> wrote: > > send_garp_run() allocated and populated a shash of struct lport_addresses, > but it only freed some of the data. This fixes the problem. > > CC: Chandra S Vejendla <[email protected]> > Reported-by: Ramu Ramamurthy <[email protected]> > Fixes: 8439c2ebd823 ("ovn: Support for GARP for NAT IPs via localnet") > Signed-off-by: Ben Pfaff <[email protected]>
I think this may fix a possible use-after-free problem with "nat_addresses", too. There are two separate calls to send_garp_update() in send_garp_run() that take "nat_addresses" as an argument. If "laddrs" is used in the first call, the data is freed, but the data pointer still exists in "nat_addresses". It's possible that a second call could then try to dereference the pointer value that's there. I didn't look closely enough at the code to see if something makes sure that both calls can never reference the same entry, though. Acked-by: Justin Pettit <[email protected]> --Justin _______________________________________________ dev mailing list [email protected] http://openvswitch.org/mailman/listinfo/dev
