From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) by dpdk.org (Postfix) with ESMTP id 3ACA31BB4E; Wed, 11 Apr 2018 14:10:47 +0200 (CEST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga105.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 11 Apr 2018 05:10:46 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.48,436,1517904000"; d="scan'208";a="46989003" Received: from irsmsx110.ger.corp.intel.com ([163.33.3.25]) by orsmga001.jf.intel.com with ESMTP; 11 Apr 2018 05:10:44 -0700 Received: from irsmsx102.ger.corp.intel.com ([169.254.2.164]) by irsmsx110.ger.corp.intel.com ([169.254.15.211]) with mapi id 14.03.0319.002; Wed, 11 Apr 2018 13:10:42 +0100 From: "Ananyev, Konstantin" To: "Legacy, Allain (Wind River)" CC: "dev@dpdk.org" , "Peters, Matt (Wind River)" , "stable@dpdk.org" Thread-Topic: [PATCH v2] ip_frag: fix double free of chained mbufs Thread-Index: AQHTv44lGMPnxe4r5E+0N/1sCPbP9qP7nNTw Date: Wed, 11 Apr 2018 12:10:42 +0000 Message-ID: <2601191342CEEE43887BDE71AB977258AE9139B5@IRSMSX102.ger.corp.intel.com> References: <20180319141833.21669-1-allain.legacy@windriver.com> <20180319142523.22163-1-allain.legacy@windriver.com> In-Reply-To: <20180319142523.22163-1-allain.legacy@windriver.com> Accept-Language: en-IE, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiZTg2NzkzODItOGNjZC00ZjQyLTk4NmItOTQyOTA3NzNjZWRkIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE2LjUuOS4zIiwiVHJ1c3RlZExhYmVsSGFzaCI6Inp6MEJrV3NpRFlWUUpjV2xzdDNmV2JZQ2FSSCthdW1aRHRwTDc3VXZDK3c9In0= x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.0.200.100 dlp-reaction: no-action x-originating-ip: [163.33.239.181] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [dpdk-stable] [PATCH v2] ip_frag: fix double free of chained mbufs X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Apr 2018 12:10:48 -0000 > -----Original Message----- > From: Allain Legacy [mailto:allain.legacy@windriver.com] > Sent: Monday, March 19, 2018 2:25 PM > To: Ananyev, Konstantin > Cc: dev@dpdk.org; Peters, Matt (Wind River) ; = stable@dpdk.org > Subject: [PATCH v2] ip_frag: fix double free of chained mbufs >=20 > The first mbuf and the last mbuf to be visited in the preceding loop > are not set to NULL in the fragmentation table. This creates the > possibility of a double free when the fragmentation table is later freed > with rte_ip_frag_table_destroy(). >=20 > Fixes: 95908f52393d ("ip_frag: free mbufs on reassembly table destroy") >=20 > Signed-off-by: Allain Legacy > --- > lib/librte_ip_frag/rte_ipv4_reassembly.c | 2 ++ > lib/librte_ip_frag/rte_ipv6_reassembly.c | 2 ++ > 2 files changed, 4 insertions(+) >=20 > diff --git a/lib/librte_ip_frag/rte_ipv4_reassembly.c b/lib/librte_ip_fra= g/rte_ipv4_reassembly.c > index 82e831ca3..4956b99ea 100644 > --- a/lib/librte_ip_frag/rte_ipv4_reassembly.c > +++ b/lib/librte_ip_frag/rte_ipv4_reassembly.c > @@ -59,7 +59,9 @@ ipv4_frag_reassemble(struct ip_frag_pkt *fp) > /* chain with the first fragment. */ > rte_pktmbuf_adj(m, (uint16_t)(m->l2_len + m->l3_len)); > rte_pktmbuf_chain(fp->frags[IP_FIRST_FRAG_IDX].mb, m); > + fp->frags[curr_idx].mb =3D NULL; > m =3D fp->frags[IP_FIRST_FRAG_IDX].mb; > + fp->frags[IP_FIRST_FRAG_IDX].mb =3D NULL; >=20 > /* update mbuf fields for reassembled packet. */ > m->ol_flags |=3D PKT_TX_IP_CKSUM; > diff --git a/lib/librte_ip_frag/rte_ipv6_reassembly.c b/lib/librte_ip_fra= g/rte_ipv6_reassembly.c > index 3479fabb8..db249fe60 100644 > --- a/lib/librte_ip_frag/rte_ipv6_reassembly.c > +++ b/lib/librte_ip_frag/rte_ipv6_reassembly.c > @@ -82,7 +82,9 @@ ipv6_frag_reassemble(struct ip_frag_pkt *fp) > /* chain with the first fragment. */ > rte_pktmbuf_adj(m, (uint16_t)(m->l2_len + m->l3_len)); > rte_pktmbuf_chain(fp->frags[IP_FIRST_FRAG_IDX].mb, m); > + fp->frags[curr_idx].mb =3D NULL; > m =3D fp->frags[IP_FIRST_FRAG_IDX].mb; > + fp->frags[IP_FIRST_FRAG_IDX].mb =3D NULL; >=20 > /* update mbuf fields for reassembled packet. */ > m->ol_flags |=3D PKT_TX_IP_CKSUM; > -- Acked-by: Konstantin Ananyev > 2.12.1