Commit 6d670497 authored Apr 02, 2019 by Dan Carpenter Committed by David S. Miller Apr 02, 2019

openvswitch: use after free in __ovs_ct_free_action()



We free "ct_info->ct" and then use it on the next line when we pass it
to nf_ct_destroy_timeout().  This patch swaps the order to avoid the use
after free.

Fixes: 06bd2bdf ("openvswitch: Add timeout support to ct action")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Yi-Hung Wei <yihung.wei@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent f0dfecc9

net/openvswitch/conntrack.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1804,9 +1804,9 @@ static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info)
		if (ct_info->helper)
		nf_conntrack_helper_put(ct_info->helper);
		if (ct_info->ct) {
		nf_ct_tmpl_free(ct_info->ct);
		if (ct_info->timeout[0])
		nf_ct_destroy_timeout(ct_info->ct);
		nf_ct_tmpl_free(ct_info->ct);
		}
		}