[ofa-general] [PATCHv4] opensm/osm_lash: Fix use after free problem in osm_mesh_node_delete

Hal Rosenstock hnrose at comcast.net
Sun Aug 2 04:50:11 PDT 2009


When osm_mesh_node_delete is called, osm_switch_delete may already have
been called so sw->p_sw is no longer valid to be used although it was
being used to obtain num_ports.

Fix this by performing delete_mesh_switches at the end of lash_process.

Signed-off-by: Hal Rosenstock <hal.rosenstock at gmail.com>
---
Changes since v3:
Changed name of delete_switches to delete_mesh_switches

Changes since v2:
Moved mesh switches deletion into lash

Changes since v1:
Rather than saving num_ports in the mesh node structure on creation and using
this on deletion, mesh switches deletion should occur at end of the lash
calculation as none of this state is needed after that 
Approach proposed by Sasha

diff --git a/opensm/opensm/osm_ucast_lash.c b/opensm/opensm/osm_ucast_lash.c
index 1c55a90..841c0fd 100644
--- a/opensm/opensm/osm_ucast_lash.c
+++ b/opensm/opensm/osm_ucast_lash.c
@@ -5,6 +5,7 @@
  * Copyright (c) 2007      Simula Research Laboratory. All rights reserved.
  * Copyright (c) 2007      Silicon Graphics Inc. All rights reserved.
  * Copyright (c) 2008,2009 System Fabric Works, Inc. All rights reserved.
+ * Copyright (c) 2009      HNR Consulting. All rights reserved.
  *
  * This software is available to you under a choice of one of two
  * licenses.  You may choose to be licensed under the terms of the GNU
@@ -659,6 +660,18 @@ static void switch_delete(lash_t *p_lash, switch_t * sw)
 	free(sw);
 }
 
+static void delete_mesh_switches(lash_t *p_lash)
+{
+	if (p_lash->switches) {
+		unsigned id;
+		for (id = 0; ((int)id) < p_lash->num_switches; id++)
+			if (p_lash->switches[id])
+				osm_mesh_node_delete(p_lash,
+						     p_lash->switches[id]);
+	}
+}
+
+
 static void free_lash_structures(lash_t * p_lash)
 {
 	unsigned int i, j, k;
@@ -1219,7 +1232,7 @@ static int lash_process(void *context)
 
 	return_status = discover_network_properties(p_lash);
 	if (return_status != IB_SUCCESS)
-		goto Exit;
+		goto Exit2;
 
 	return_status = init_lash_structures(p_lash);
 	if (return_status != IB_SUCCESS)
@@ -1234,6 +1247,9 @@ static int lash_process(void *context)
 	populate_fwd_tbls(p_lash);
 
 Exit:
+	delete_mesh_switches(p_lash);
+
+Exit2:
 	if (p_lash->vl_min)
 		free_lash_structures(p_lash);
 	OSM_LOG_EXIT(p_log);



More information about the general mailing list