ovn-controller: Fix potential use-after-free in get_core_config().

It's unsafe to hold a pointer to a row in the IDL across calls to ovsdb_idl_run() for that IDL. Signed-off-by: Ben Pfaff <blp@nicira.com> Acked-by: Russell Bryant <rbryant@redhat.com>
openvswitch · Jul 28, 2015 · 9326534 · 9326534
1 parent 49af9a3
commit 9326534
Showing 1 changed file with 9 additions and 10 deletions.
diff --git a/ovn/controller/ovn-controller.c b/ovn/controller/ovn-controller.c
@@ -95,21 +95,20 @@ get_bridge(struct controller_ctx *ctx, const char *name)
 static void
 get_core_config(struct controller_ctx *ctx)
 {
-    const struct ovsrec_open_vswitch *cfg;
+    while (1) {
+        ovsdb_idl_run(ctx->ovs_idl);
 
-    cfg = ovsrec_open_vswitch_first(ctx->ovs_idl);
-    if (!cfg) {
-        VLOG_ERR("No Open_vSwitch row defined.");
-        ovsdb_idl_destroy(ctx->ovs_idl);
-        exit(EXIT_FAILURE);
-    }
+        const struct ovsrec_open_vswitch *cfg;
+        cfg = ovsrec_open_vswitch_first(ctx->ovs_idl);
+        if (!cfg) {
+            VLOG_ERR("No Open_vSwitch row defined.");
+            ovsdb_idl_destroy(ctx->ovs_idl);
+            exit(EXIT_FAILURE);
+        }
 
-    while (1) {
         const struct ovsrec_bridge *br_int;
         const char *remote, *system_id, *br_int_name;
 
-        ovsdb_idl_run(ctx->ovs_idl);
-
         br_int_name = smap_get(&cfg->external_ids, "ovn-bridge");
         if (!br_int_name) {
             br_int_name = DEFAULT_BRIDGE_NAME;