ip_frag: fix double free of chained mbufs

[dpdk.git] / lib / librte_ip_frag / rte_ipv4_reassembly.c

diff --git a/lib/librte_ip_frag/rte_ipv4_reassembly.c b/lib/librte_ip_frag/rte_ipv4_reassembly.c
index a52f549..4956b99 100644 (file)
--- a/lib/librte_ip_frag/rte_ipv4_reassembly.c
+++ b/lib/librte_ip_frag/rte_ipv4_reassembly.c
@@ -1,34 +1,5 @@
-/*-
- *   BSD LICENSE
- *
- *   Copyright(c) 2010-2014 Intel Corporation. All rights reserved.
- *   All rights reserved.
- *
- *   Redistribution and use in source and binary forms, with or without
- *   modification, are permitted provided that the following conditions
- *   are met:
- *
- *     * Redistributions of source code must retain the above copyright
- *       notice, this list of conditions and the following disclaimer.
- *     * Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in
- *       the documentation and/or other materials provided with the
- *       distribution.
- *     * Neither the name of Intel Corporation nor the names of its
- *       contributors may be used to endorse or promote products derived
- *       from this software without specific prior written permission.
- *
- *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
- *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
- *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(c) 2010-2014 Intel Corporation
  */
 
 #include <stddef.h>
@@ -41,11 +12,12 @@
  * Reassemble fragments into one packet.
  */
 struct rte_mbuf *
-ipv4_frag_reassemble(const struct ip_frag_pkt *fp)
+ipv4_frag_reassemble(struct ip_frag_pkt *fp)
 {
        struct ipv4_hdr *ip_hdr;
        struct rte_mbuf *m, *prev;
        uint32_t i, n, ofs, first_len;
+       uint32_t curr_idx = 0;
 
        first_len = fp->frags[IP_FIRST_FRAG_IDX].len;
        n = fp->last_idx - 1;
@@ -53,6 +25,7 @@ ipv4_frag_reassemble(const struct ip_frag_pkt *fp)
        /*start from the last fragment. */
        m = fp->frags[IP_LAST_FRAG_IDX].mb;
        ofs = fp->frags[IP_LAST_FRAG_IDX].ofs;
+       curr_idx = IP_LAST_FRAG_IDX;
 
        while (ofs != first_len) {
 
@@ -63,7 +36,13 @@ ipv4_frag_reassemble(const struct ip_frag_pkt *fp)
                        /* previous fragment found. */
                        if(fp->frags[i].ofs + fp->frags[i].len == ofs) {
 
-                               ip_frag_chain(fp->frags[i].mb, m);
+                               /* adjust start of the last fragment data. */
+                               rte_pktmbuf_adj(m, (uint16_t)(m->l2_len + m->l3_len));
+                               rte_pktmbuf_chain(fp->frags[i].mb, m);
+
+                               /* this mbuf should not be accessed directly */
+                               fp->frags[curr_idx].mb = NULL;
+                               curr_idx = i;
 
                                /* update our last fragment and offset. */
                                m = fp->frags[i].mb;
@@ -78,15 +57,17 @@ ipv4_frag_reassemble(const struct ip_frag_pkt *fp)
        }
 
        /* chain with the first fragment. */
-       ip_frag_chain(fp->frags[IP_FIRST_FRAG_IDX].mb, m);
+       rte_pktmbuf_adj(m, (uint16_t)(m->l2_len + m->l3_len));
+       rte_pktmbuf_chain(fp->frags[IP_FIRST_FRAG_IDX].mb, m);
+       fp->frags[curr_idx].mb = NULL;
        m = fp->frags[IP_FIRST_FRAG_IDX].mb;
+       fp->frags[IP_FIRST_FRAG_IDX].mb = NULL;
 
        /* update mbuf fields for reassembled packet. */
        m->ol_flags |= PKT_TX_IP_CKSUM;
 
-       /* update ipv4 header for the reassmebled packet */
-       ip_hdr = (struct ipv4_hdr*)(rte_pktmbuf_mtod(m, uint8_t *) +
-               m->l2_len);
+       /* update ipv4 header for the reassembled packet */
+       ip_hdr = rte_pktmbuf_mtod_offset(m, struct ipv4_hdr *, m->l2_len);
 
        ip_hdr->total_length = rte_cpu_to_be_16((uint16_t)(fp->total_size +
                m->l3_len));
@@ -109,8 +90,8 @@ ipv4_frag_reassemble(const struct ip_frag_pkt *fp)
  * @param ip_hdr
  *   Pointer to the IPV4 header inside the fragment.
  * @return
- *   Pointer to mbuf for reassebled packet, or NULL if:
- *   - an error occured.
+ *   Pointer to mbuf for reassembled packet, or NULL if:
+ *   - an error occurred.
  *   - not all fragments of the packet are collected yet.
  */
 struct rte_mbuf *
@@ -120,7 +101,7 @@ rte_ipv4_frag_reassemble_packet(struct rte_ip_frag_tbl *tbl,
 {
        struct ip_frag_pkt *fp;
        struct ip_frag_key key;
-       const uint64_t *psd;
+       const unaligned_uint64_t *psd;
        uint16_t ip_len;
        uint16_t flag_offset, ip_ofs, ip_flag;
 
@@ -128,7 +109,7 @@ rte_ipv4_frag_reassemble_packet(struct rte_ip_frag_tbl *tbl,
        ip_ofs = (uint16_t)(flag_offset & IPV4_HDR_OFFSET_MASK);
        ip_flag = (uint16_t)(flag_offset & IPV4_HDR_MF_FLAG);
 
-       psd = (uint64_t *)&ip_hdr->src_addr;
+       psd = (unaligned_uint64_t *)&ip_hdr->src_addr;
        /* use first 8 bytes only */
        key.src_dst[0] = psd[0];
        key.id = ip_hdr->packet_id;