From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <thomas@monjalon.net>
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com
 [66.111.4.29]) by dpdk.org (Postfix) with ESMTP id 2F3831B7BA;
 Tue, 10 Apr 2018 17:15:54 +0200 (CEST)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41])
 by mailout.nyi.internal (Postfix) with ESMTP id CB98320D68;
 Tue, 10 Apr 2018 11:15:53 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
 by compute1.internal (MEProxy); Tue, 10 Apr 2018 11:15:53 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=monjalon.net; h=
 cc:content-transfer-encoding:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-sender
 :x-me-sender:x-sasl-enc; s=mesmtp; bh=jWzdyiPaZQJiSN6bf9mtUThYFe
 ej0NsfgJX1u1lwaQA=; b=pwdbnxmkdyc4aLvfBCHv9NGcZz5NvziVQcvAfhuzR0
 L9qmMXAbPzySpLJkOd2cH8xUdjWNakZVh8AS21NBnanqU5KU/t/pLdWrhRUFeVeT
 UkdhqUiebVZGCvq/WcAf/XwfSCW/fBegMKtj8Gv0jFYuFFXdTrjwoQfwPA28Rfpw
 A=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-transfer-encoding:content-type
 :date:from:in-reply-to:message-id:mime-version:references
 :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=jWzdyi
 PaZQJiSN6bf9mtUThYFeej0NsfgJX1u1lwaQA=; b=lNikMTNVkil6UXqzFopEjd
 6EfMLS19yFmC5LqOvqFUBQp5mfv56vYcvaKy3mcE/7NOhS14yY/V6gvnC4l1doka
 6i5B8T+sBD5KhspApZSrefU/Xr2+N2d1bqzpwCy4ukq8FfzHN1WfxXOOvCvszeQX
 DBzJccXdb+6cUt1ZUdLjeNd2eM4Pe7KLGL/M5YJrCJycfGlMD0CDULaLV6zbPsgP
 Gv4B9nKxDvBmXOsR5D6Kg8khx5IzILTh74ZHr4VuY2jcyD7c2Y8YTBA4rQHSf6Lu
 QfrgGg4yUdOut2xdIfN/q/wfhpkQFzTiaJ6b2e1ptGUfnEP0r3Zzxu4CPVUkS3vQ
 ==
X-ME-Sender: <xms:KdXMWqSbQQLrfhLVUQaQhCWx0ZPaMRIeIVIbq0w-4DXNI4Sf-bjLVg>
Received: from xps.localnet (184.203.134.77.rev.sfr.net [77.134.203.184])
 by mail.messagingengine.com (Postfix) with ESMTPA id 003AEE4472;
 Tue, 10 Apr 2018 11:15:52 -0400 (EDT)
From: Thomas Monjalon <thomas@monjalon.net>
To: dev@dpdk.org
Cc: Allain Legacy <allain.legacy@windriver.com>, konstantin.ananyev@intel.com,
 matt.peters@windriver.com, stable@dpdk.org
Date: Tue, 10 Apr 2018 17:15:51 +0200
Message-ID: <1633516.d81bmW6GXi@xps>
In-Reply-To: <20180319142523.22163-1-allain.legacy@windriver.com>
References: <20180319141833.21669-1-allain.legacy@windriver.com>
 <20180319142523.22163-1-allain.legacy@windriver.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Subject: Re: [dpdk-stable] [dpdk-dev] [PATCH v2] ip_frag: fix double free of
	chained mbufs
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://dpdk.org/ml/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://dpdk.org/ml/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Apr 2018 15:15:54 -0000

Please, any review?

19/03/2018 15:25, Allain Legacy:
> The first mbuf and the last mbuf to be visited in the preceding loop
> are not set to NULL in the fragmentation table.  This creates the
> possibility of a double free when the fragmentation table is later freed
> with rte_ip_frag_table_destroy().
> 
> Fixes: 95908f52393d ("ip_frag: free mbufs on reassembly table destroy")
> 
> Signed-off-by: Allain Legacy <allain.legacy@windriver.com>
> ---
>  lib/librte_ip_frag/rte_ipv4_reassembly.c | 2 ++
>  lib/librte_ip_frag/rte_ipv6_reassembly.c | 2 ++
>  2 files changed, 4 insertions(+)
> 
> diff --git a/lib/librte_ip_frag/rte_ipv4_reassembly.c b/lib/librte_ip_frag/rte_ipv4_reassembly.c
> index 82e831ca3..4956b99ea 100644
> --- a/lib/librte_ip_frag/rte_ipv4_reassembly.c
> +++ b/lib/librte_ip_frag/rte_ipv4_reassembly.c
> @@ -59,7 +59,9 @@ ipv4_frag_reassemble(struct ip_frag_pkt *fp)
>  	/* chain with the first fragment. */
>  	rte_pktmbuf_adj(m, (uint16_t)(m->l2_len + m->l3_len));
>  	rte_pktmbuf_chain(fp->frags[IP_FIRST_FRAG_IDX].mb, m);
> +	fp->frags[curr_idx].mb = NULL;
>  	m = fp->frags[IP_FIRST_FRAG_IDX].mb;
> +	fp->frags[IP_FIRST_FRAG_IDX].mb = NULL;
>  
>  	/* update mbuf fields for reassembled packet. */
>  	m->ol_flags |= PKT_TX_IP_CKSUM;
> diff --git a/lib/librte_ip_frag/rte_ipv6_reassembly.c b/lib/librte_ip_frag/rte_ipv6_reassembly.c
> index 3479fabb8..db249fe60 100644
> --- a/lib/librte_ip_frag/rte_ipv6_reassembly.c
> +++ b/lib/librte_ip_frag/rte_ipv6_reassembly.c
> @@ -82,7 +82,9 @@ ipv6_frag_reassemble(struct ip_frag_pkt *fp)
>  	/* chain with the first fragment. */
>  	rte_pktmbuf_adj(m, (uint16_t)(m->l2_len + m->l3_len));
>  	rte_pktmbuf_chain(fp->frags[IP_FIRST_FRAG_IDX].mb, m);
> +	fp->frags[curr_idx].mb = NULL;
>  	m = fp->frags[IP_FIRST_FRAG_IDX].mb;
> +	fp->frags[IP_FIRST_FRAG_IDX].mb = NULL;
>  
>  	/* update mbuf fields for reassembled packet. */
>  	m->ol_flags |= PKT_TX_IP_CKSUM;
>