Re: [dpdk-dev] [PATCH v2] ip_frag: fix double free of chained mbufs

Wed, 11 Apr 2018 05:11:06 -0700 


> -----Original Message-----
> From: Allain Legacy [mailto:allain.leg...@windriver.com]
> Sent: Monday, March 19, 2018 2:25 PM
> To: Ananyev, Konstantin <konstantin.anan...@intel.com>
> Cc: dev@dpdk.org; Peters, Matt (Wind River) <matt.pet...@windriver.com>; 
> sta...@dpdk.org
> Subject: [PATCH v2] ip_frag: fix double free of chained mbufs
> 
> The first mbuf and the last mbuf to be visited in the preceding loop
> are not set to NULL in the fragmentation table.  This creates the
> possibility of a double free when the fragmentation table is later freed
> with rte_ip_frag_table_destroy().
> 
> Fixes: 95908f52393d ("ip_frag: free mbufs on reassembly table destroy")
> 
> Signed-off-by: Allain Legacy <allain.leg...@windriver.com>
> ---
>  lib/librte_ip_frag/rte_ipv4_reassembly.c | 2 ++
>  lib/librte_ip_frag/rte_ipv6_reassembly.c | 2 ++
>  2 files changed, 4 insertions(+)
> 
> diff --git a/lib/librte_ip_frag/rte_ipv4_reassembly.c 
> b/lib/librte_ip_frag/rte_ipv4_reassembly.c
> index 82e831ca3..4956b99ea 100644
> --- a/lib/librte_ip_frag/rte_ipv4_reassembly.c
> +++ b/lib/librte_ip_frag/rte_ipv4_reassembly.c
> @@ -59,7 +59,9 @@ ipv4_frag_reassemble(struct ip_frag_pkt *fp)
>       /* chain with the first fragment. */
>       rte_pktmbuf_adj(m, (uint16_t)(m->l2_len + m->l3_len));
>       rte_pktmbuf_chain(fp->frags[IP_FIRST_FRAG_IDX].mb, m);
> +     fp->frags[curr_idx].mb = NULL;
>       m = fp->frags[IP_FIRST_FRAG_IDX].mb;
> +     fp->frags[IP_FIRST_FRAG_IDX].mb = NULL;
> 
>       /* update mbuf fields for reassembled packet. */
>       m->ol_flags |= PKT_TX_IP_CKSUM;
> diff --git a/lib/librte_ip_frag/rte_ipv6_reassembly.c 
> b/lib/librte_ip_frag/rte_ipv6_reassembly.c
> index 3479fabb8..db249fe60 100644
> --- a/lib/librte_ip_frag/rte_ipv6_reassembly.c
> +++ b/lib/librte_ip_frag/rte_ipv6_reassembly.c
> @@ -82,7 +82,9 @@ ipv6_frag_reassemble(struct ip_frag_pkt *fp)
>       /* chain with the first fragment. */
>       rte_pktmbuf_adj(m, (uint16_t)(m->l2_len + m->l3_len));
>       rte_pktmbuf_chain(fp->frags[IP_FIRST_FRAG_IDX].mb, m);
> +     fp->frags[curr_idx].mb = NULL;
>       m = fp->frags[IP_FIRST_FRAG_IDX].mb;
> +     fp->frags[IP_FIRST_FRAG_IDX].mb = NULL;
> 
>       /* update mbuf fields for reassembled packet. */
>       m->ol_flags |= PKT_TX_IP_CKSUM;
> --

Acked-by: Konstantin Ananyev <konstantin.anan...@intel.com>

> 2.12.1

Reply via email to