From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga04.intel.com (mga04.intel.com [192.55.52.120]) by dpdk.org (Postfix) with ESMTP id 7E99B1B847; Wed, 11 Apr 2018 13:02:22 +0200 (CEST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 11 Apr 2018 04:02:20 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.48,435,1517904000"; d="scan'208";a="46030065" Received: from irsmsx106.ger.corp.intel.com ([163.33.3.31]) by fmsmga001.fm.intel.com with ESMTP; 11 Apr 2018 04:02:19 -0700 Received: from irsmsx102.ger.corp.intel.com ([169.254.2.164]) by IRSMSX106.ger.corp.intel.com ([169.254.8.37]) with mapi id 14.03.0319.002; Wed, 11 Apr 2018 12:02:18 +0100 From: "Ananyev, Konstantin" To: "Legacy, Allain (Wind River)" CC: "dev@dpdk.org" , "Peters, Matt (Wind River)" , "stable@dpdk.org" Thread-Topic: [PATCH v2] ip_frag: fix double free of chained mbufs Thread-Index: AQHTv44lGMPnxe4r5E+0N/1sCPbP9qP7iPSQ Date: Wed, 11 Apr 2018 11:02:17 +0000 Message-ID: <2601191342CEEE43887BDE71AB977258AE9138DD@IRSMSX102.ger.corp.intel.com> References: <20180319141833.21669-1-allain.legacy@windriver.com> <20180319142523.22163-1-allain.legacy@windriver.com> In-Reply-To: <20180319142523.22163-1-allain.legacy@windriver.com> Accept-Language: en-IE, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiOTNjYWNiYTgtM2Q3OC00MTY3LWE5NzgtNzYyNjY0NzkxMDRlIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE2LjUuOS4zIiwiVHJ1c3RlZExhYmVsSGFzaCI6IkhDU1l2K0E4MTdOclBNNjJnNXhWT2JhS25ZekFxcjE1cjc5a09FYVhROFE9In0= x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.0.200.100 dlp-reaction: no-action x-originating-ip: [163.33.239.181] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [dpdk-stable] [PATCH v2] ip_frag: fix double free of chained mbufs X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Apr 2018 11:02:23 -0000 Hi Allain, >=20 > The first mbuf and the last mbuf to be visited in the preceding loop > are not set to NULL in the fragmentation table. This creates the > possibility of a double free when the fragmentation table is later freed > with rte_ip_frag_table_destroy(). >=20 > Fixes: 95908f52393d ("ip_frag: free mbufs on reassembly table destroy") >=20 > Signed-off-by: Allain Legacy > --- > lib/librte_ip_frag/rte_ipv4_reassembly.c | 2 ++ > lib/librte_ip_frag/rte_ipv6_reassembly.c | 2 ++ > 2 files changed, 4 insertions(+) >=20 > diff --git a/lib/librte_ip_frag/rte_ipv4_reassembly.c b/lib/librte_ip_fra= g/rte_ipv4_reassembly.c > index 82e831ca3..4956b99ea 100644 > --- a/lib/librte_ip_frag/rte_ipv4_reassembly.c > +++ b/lib/librte_ip_frag/rte_ipv4_reassembly.c > @@ -59,7 +59,9 @@ ipv4_frag_reassemble(struct ip_frag_pkt *fp) > /* chain with the first fragment. */ > rte_pktmbuf_adj(m, (uint16_t)(m->l2_len + m->l3_len)); > rte_pktmbuf_chain(fp->frags[IP_FIRST_FRAG_IDX].mb, m); > + fp->frags[curr_idx].mb =3D NULL; > m =3D fp->frags[IP_FIRST_FRAG_IDX].mb; > + fp->frags[IP_FIRST_FRAG_IDX].mb =3D NULL; I wonder why we have to NULL only first and cur entry? We probably have to NULL each one in that case, right? If so, then it probably better to do in the same place we do ip_frag_key_in= validate(). As alternative, and probably better approach - can we modify rte_ip_frag_ta= ble_destroy(), so it will free mbufs only for entires with valid keys? Konstantin=20 >=20 > /* update mbuf fields for reassembled packet. */ > m->ol_flags |=3D PKT_TX_IP_CKSUM; > diff --git a/lib/librte_ip_frag/rte_ipv6_reassembly.c b/lib/librte_ip_fra= g/rte_ipv6_reassembly.c > index 3479fabb8..db249fe60 100644 > --- a/lib/librte_ip_frag/rte_ipv6_reassembly.c > +++ b/lib/librte_ip_frag/rte_ipv6_reassembly.c > @@ -82,7 +82,9 @@ ipv6_frag_reassemble(struct ip_frag_pkt *fp) > /* chain with the first fragment. */ > rte_pktmbuf_adj(m, (uint16_t)(m->l2_len + m->l3_len)); > rte_pktmbuf_chain(fp->frags[IP_FIRST_FRAG_IDX].mb, m); > + fp->frags[curr_idx].mb =3D NULL; > m =3D fp->frags[IP_FIRST_FRAG_IDX].mb; > + fp->frags[IP_FIRST_FRAG_IDX].mb =3D NULL; >=20 > /* update mbuf fields for reassembled packet. */ > m->ol_flags |=3D PKT_TX_IP_CKSUM; > -- > 2.12.1