[ofa-general] [PATCHv4] opensm/osm_lash: Fix use after free problem in osm_mesh_node_delete
Hal Rosenstock
hnrose at comcast.net
Sun Aug 2 04:50:11 PDT 2009
When osm_mesh_node_delete is called, osm_switch_delete may already have
been called so sw->p_sw is no longer valid to be used although it was
being used to obtain num_ports.
Fix this by performing delete_mesh_switches at the end of lash_process.
Signed-off-by: Hal Rosenstock <hal.rosenstock at gmail.com>
---
Changes since v3:
Changed name of delete_switches to delete_mesh_switches
Changes since v2:
Moved mesh switches deletion into lash
Changes since v1:
Rather than saving num_ports in the mesh node structure on creation and using
this on deletion, mesh switches deletion should occur at end of the lash
calculation as none of this state is needed after that
Approach proposed by Sasha
diff --git a/opensm/opensm/osm_ucast_lash.c b/opensm/opensm/osm_ucast_lash.c
index 1c55a90..841c0fd 100644
--- a/opensm/opensm/osm_ucast_lash.c
+++ b/opensm/opensm/osm_ucast_lash.c
@@ -5,6 +5,7 @@
* Copyright (c) 2007 Simula Research Laboratory. All rights reserved.
* Copyright (c) 2007 Silicon Graphics Inc. All rights reserved.
* Copyright (c) 2008,2009 System Fabric Works, Inc. All rights reserved.
+ * Copyright (c) 2009 HNR Consulting. All rights reserved.
*
* This software is available to you under a choice of one of two
* licenses. You may choose to be licensed under the terms of the GNU
@@ -659,6 +660,18 @@ static void switch_delete(lash_t *p_lash, switch_t * sw)
free(sw);
}
+static void delete_mesh_switches(lash_t *p_lash)
+{
+ if (p_lash->switches) {
+ unsigned id;
+ for (id = 0; ((int)id) < p_lash->num_switches; id++)
+ if (p_lash->switches[id])
+ osm_mesh_node_delete(p_lash,
+ p_lash->switches[id]);
+ }
+}
+
+
static void free_lash_structures(lash_t * p_lash)
{
unsigned int i, j, k;
@@ -1219,7 +1232,7 @@ static int lash_process(void *context)
return_status = discover_network_properties(p_lash);
if (return_status != IB_SUCCESS)
- goto Exit;
+ goto Exit2;
return_status = init_lash_structures(p_lash);
if (return_status != IB_SUCCESS)
@@ -1234,6 +1247,9 @@ static int lash_process(void *context)
populate_fwd_tbls(p_lash);
Exit:
+ delete_mesh_switches(p_lash);
+
+Exit2:
if (p_lash->vl_min)
free_lash_structures(p_lash);
OSM_LOG_EXIT(p_log);
More information about the general
mailing list