[PATCH net-next] openvswitch: use after free in __ovs_ct_free

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH net-next] openvswitch: use after free in __ovs_ct_free_action()
@ 2019-04-02  6:53 Dan Carpenter
  2019-04-02 17:05 ` Yi-Hung Wei
  2019-04-02 17:56 ` David Miller
  0 siblings, 2 replies; 3+ messages in thread
From: Dan Carpenter @ 2019-04-02  6:53 UTC (permalink / raw)
  To: Pravin B Shelar, Yi-Hung Wei
  Cc: David S. Miller, netdev, dev, kernel-janitors

We free "ct_info->ct" and then use it on the next line when we pass it
to nf_ct_destroy_timeout().  This patch swaps the order to avoid the use
after free.

Fixes: 06bd2bdf19d2 ("openvswitch: Add timeout support to ct action")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 net/openvswitch/conntrack.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
index 121b01d4a3c0..0be3ab5bde26 100644
--- a/net/openvswitch/conntrack.c
+++ b/net/openvswitch/conntrack.c
@@ -1804,9 +1804,9 @@ static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info)
 	if (ct_info->helper)
 		nf_conntrack_helper_put(ct_info->helper);
 	if (ct_info->ct) {
-		nf_ct_tmpl_free(ct_info->ct);
 		if (ct_info->timeout[0])
 			nf_ct_destroy_timeout(ct_info->ct);
+		nf_ct_tmpl_free(ct_info->ct);
 	}
 }
 
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH net-next] openvswitch: use after free in __ovs_ct_free_action()
  2019-04-02  6:53 [PATCH net-next] openvswitch: use after free in __ovs_ct_free_action() Dan Carpenter
@ 2019-04-02 17:05 ` Yi-Hung Wei
  2019-04-02 17:56 ` David Miller
  1 sibling, 0 replies; 3+ messages in thread
From: Yi-Hung Wei @ 2019-04-02 17:05 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: Pravin B Shelar, David S. Miller, Linux Kernel Network Developers,
	ovs dev, kernel-janitors

On Mon, Apr 1, 2019 at 11:53 PM Dan Carpenter <dan.carpenter@oracle.com> wrote:
>
> We free "ct_info->ct" and then use it on the next line when we pass it
> to nf_ct_destroy_timeout().  This patch swaps the order to avoid the use
> after free.
>
> Fixes: 06bd2bdf19d2 ("openvswitch: Add timeout support to ct action")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
Thanks for the fix.

Acked-by: Yi-Hung Wei <yihung.wei@gmail.com>

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH net-next] openvswitch: use after free in __ovs_ct_free_action()
  2019-04-02  6:53 [PATCH net-next] openvswitch: use after free in __ovs_ct_free_action() Dan Carpenter
  2019-04-02 17:05 ` Yi-Hung Wei
@ 2019-04-02 17:56 ` David Miller
  1 sibling, 0 replies; 3+ messages in thread
From: David Miller @ 2019-04-02 17:56 UTC (permalink / raw)
  To: dan.carpenter; +Cc: pshelar, yihung.wei, netdev, dev, kernel-janitors

From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Tue, 2 Apr 2019 09:53:14 +0300

> We free "ct_info->ct" and then use it on the next line when we pass it
> to nf_ct_destroy_timeout().  This patch swaps the order to avoid the use
> after free.
> 
> Fixes: 06bd2bdf19d2 ("openvswitch: Add timeout support to ct action")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Applied, thanks.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2019-04-02 17:56 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-04-02  6:53 [PATCH net-next] openvswitch: use after free in __ovs_ct_free_action() Dan Carpenter
2019-04-02 17:05 ` Yi-Hung Wei
2019-04-02 17:56 ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).