patches for DPDK stable branches
 help / color / mirror / Atom feed
* [dpdk-stable] [PATCH] ip_frag: fix double free of chained mbufs
@ 2018-03-19 14:18 Allain Legacy
  2018-03-19 14:25 ` [dpdk-stable] [PATCH v2] " Allain Legacy
  0 siblings, 1 reply; 8+ messages in thread
From: Allain Legacy @ 2018-03-19 14:18 UTC (permalink / raw)
  To: konstantin.ananyev; +Cc: dev, matt.peters, stable

The first mbuf and the last mbuf to be visited in the preceeding loop
are not set to NULL in the fragmentation table.  This creates the
possibility of a double free when the fragmentation table is later freed
with rte_ip_frag_table_destroy().

Fixes: 95908f52393d ("ip_frag: free mbufs on reassembly table destroy")

Signed-off-by: Allain Legacy <allain.legacy@windriver.com>
---
 lib/librte_ip_frag/rte_ipv4_reassembly.c | 4 +++-
 lib/librte_ip_frag/rte_ipv6_reassembly.c | 2 ++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/lib/librte_ip_frag/rte_ipv4_reassembly.c b/lib/librte_ip_frag/rte_ipv4_reassembly.c
index 82e831ca3..42974fb8b 100644
--- a/lib/librte_ip_frag/rte_ipv4_reassembly.c
+++ b/lib/librte_ip_frag/rte_ipv4_reassembly.c
@@ -25,7 +25,7 @@ ipv4_frag_reassemble(struct ip_frag_pkt *fp)
 	/*start from the last fragment. */
 	m = fp->frags[IP_LAST_FRAG_IDX].mb;
 	ofs = fp->frags[IP_LAST_FRAG_IDX].ofs;
-	curr_idx = IP_LAST_FRAG_IDX;
+	curr_idx = 	IP_LAST_FRAG_IDX;
 
 	while (ofs != first_len) {
 
@@ -59,7 +59,9 @@ ipv4_frag_reassemble(struct ip_frag_pkt *fp)
 	/* chain with the first fragment. */
 	rte_pktmbuf_adj(m, (uint16_t)(m->l2_len + m->l3_len));
 	rte_pktmbuf_chain(fp->frags[IP_FIRST_FRAG_IDX].mb, m);
+	fp->frags[curr_idx].mb = NULL;
 	m = fp->frags[IP_FIRST_FRAG_IDX].mb;
+	fp->frags[IP_FIRST_FRAG_IDX].mb = NULL;
 
 	/* update mbuf fields for reassembled packet. */
 	m->ol_flags |= PKT_TX_IP_CKSUM;
diff --git a/lib/librte_ip_frag/rte_ipv6_reassembly.c b/lib/librte_ip_frag/rte_ipv6_reassembly.c
index 3479fabb8..db249fe60 100644
--- a/lib/librte_ip_frag/rte_ipv6_reassembly.c
+++ b/lib/librte_ip_frag/rte_ipv6_reassembly.c
@@ -82,7 +82,9 @@ ipv6_frag_reassemble(struct ip_frag_pkt *fp)
 	/* chain with the first fragment. */
 	rte_pktmbuf_adj(m, (uint16_t)(m->l2_len + m->l3_len));
 	rte_pktmbuf_chain(fp->frags[IP_FIRST_FRAG_IDX].mb, m);
+	fp->frags[curr_idx].mb = NULL;
 	m = fp->frags[IP_FIRST_FRAG_IDX].mb;
+	fp->frags[IP_FIRST_FRAG_IDX].mb = NULL;
 
 	/* update mbuf fields for reassembled packet. */
 	m->ol_flags |= PKT_TX_IP_CKSUM;
-- 
2.12.1

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2018-04-15 12:46 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-03-19 14:18 [dpdk-stable] [PATCH] ip_frag: fix double free of chained mbufs Allain Legacy
2018-03-19 14:25 ` [dpdk-stable] [PATCH v2] " Allain Legacy
2018-04-10 15:15   ` [dpdk-stable] [dpdk-dev] " Thomas Monjalon
2018-04-11 11:02   ` [dpdk-stable] " Ananyev, Konstantin
2018-04-11 11:28     ` Legacy, Allain
2018-04-11 12:09       ` Ananyev, Konstantin
2018-04-11 12:10   ` Ananyev, Konstantin
2018-04-15 12:46     ` [dpdk-stable] [dpdk-dev] " Thomas Monjalon

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).