diff options
| author | Jonathan Gray <jsg@cvs.openbsd.org> | 2016-10-27 09:48:02 +0000 |
|---|---|---|
| committer | Jonathan Gray <jsg@cvs.openbsd.org> | 2016-10-27 09:48:02 +0000 |
| commit | acd0800d8563aa6b3ee20be181f7d1797f8fdaea (patch) | |
| tree | 2b6f916461a702de485c200ac6afed07e423a7f4 /sys/net | |
| parent | a33fb1ee266c8a3cd1bea8964a978d70f35fb554 (diff) | |
Avoid a use after free in swofp_flow_timeout(). The
swofp_flow_entry_delete() call frees the memory pointed to by the swfe
variable which was used later in the loop.
ok rzalamena@
Diffstat (limited to 'sys/net')
| -rw-r--r-- | sys/net/switchofp.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/sys/net/switchofp.c b/sys/net/switchofp.c index 4ecb3388575..27d39a832e0 100644 --- a/sys/net/switchofp.c +++ b/sys/net/switchofp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: switchofp.c,v 1.16 2016/10/23 11:56:51 rzalamena Exp $ */ +/* $OpenBSD: switchofp.c,v 1.17 2016/10/27 09:48:01 jsg Exp $ */ /* * Copyright (c) 2016 Kazuya GODA <goda@openbsd.org> @@ -1496,6 +1496,7 @@ swofp_flow_timeout(struct switch_softc *sc) "by idle timeout\n", swfe->swfe_id); swofp_flow_entry_delete(sc, swft, swfe, OFP_FLOWREM_REASON_IDLE_TIMEOUT); + continue; } } if (swfe->swfe_hard_timeout) { |