ip_frag: fix double free of chained mbufs

If any fragment hole is found in ipv4_frag_reassemble() and
ipv6_frag_reassemble(), whole ip_frag_pkt mbufs are moved to death-row.
Any mbufs already chained to another mbuf are freed multiple times as
there are still in ip_frag_pkt array.

Signed-off-by: Chaeyong Chong <cychong@gmail.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>

diff --git a/lib/librte_ip_frag/ip_frag_common.h b/lib/librte_ip_frag/ip_frag_common.h
index cde6ed4a296268b597b1bfeaf4e24a1ba63b59be..5542a386fe04e8129226875051ecb0083c38a90e 100644 (file)
--- a/lib/librte_ip_frag/ip_frag_common.h
+++ b/lib/librte_ip_frag/ip_frag_common.h
@@ -76,8 +76,8 @@ struct ip_frag_pkt * ip_frag_lookup(struct rte_ip_frag_tbl *tbl,
        struct ip_frag_pkt **free, struct ip_frag_pkt **stale);
 
 /* these functions need to be declared here as ip_frag_process relies on them */
-struct rte_mbuf * ipv4_frag_reassemble(const struct ip_frag_pkt *fp);
-struct rte_mbuf * ipv6_frag_reassemble(const struct ip_frag_pkt *fp);
+struct rte_mbuf *ipv4_frag_reassemble(struct ip_frag_pkt *fp);
+struct rte_mbuf *ipv6_frag_reassemble(struct ip_frag_pkt *fp);
 
 
 

diff --git a/lib/librte_ip_frag/rte_ipv4_reassembly.c b/lib/librte_ip_frag/rte_ipv4_reassembly.c
index 26d07f9a25b2ac579cf65ca5b9f5abe75a74a8a2..e084ca59a64bf48a7ba809758bad15cb416da4e0 100644 (file)
--- a/lib/librte_ip_frag/rte_ipv4_reassembly.c
+++ b/lib/librte_ip_frag/rte_ipv4_reassembly.c
@@ -41,11 +41,12 @@
  * Reassemble fragments into one packet.
  */
 struct rte_mbuf *
-ipv4_frag_reassemble(const struct ip_frag_pkt *fp)
+ipv4_frag_reassemble(struct ip_frag_pkt *fp)
 {
        struct ipv4_hdr *ip_hdr;
        struct rte_mbuf *m, *prev;
        uint32_t i, n, ofs, first_len;
+       uint32_t curr_idx = 0;
 
        first_len = fp->frags[IP_FIRST_FRAG_IDX].len;
        n = fp->last_idx - 1;
@@ -53,6 +54,7 @@ ipv4_frag_reassemble(const struct ip_frag_pkt *fp)
        /*start from the last fragment. */
        m = fp->frags[IP_LAST_FRAG_IDX].mb;
        ofs = fp->frags[IP_LAST_FRAG_IDX].ofs;
+       curr_idx = IP_LAST_FRAG_IDX;
 
        while (ofs != first_len) {
 
@@ -67,6 +69,10 @@ ipv4_frag_reassemble(const struct ip_frag_pkt *fp)
                                rte_pktmbuf_adj(m, (uint16_t)(m->l2_len + m->l3_len));
                                rte_pktmbuf_chain(fp->frags[i].mb, m);
 
+                               /* this mbuf should not be accessed directly */
+                               fp->frags[curr_idx].mb = NULL;
+                               curr_idx = i;
+
                                /* update our last fragment and offset. */
                                m = fp->frags[i].mb;
                                ofs = fp->frags[i].ofs;

diff --git a/lib/librte_ip_frag/rte_ipv6_reassembly.c b/lib/librte_ip_frag/rte_ipv6_reassembly.c
index d29cb1daa7464f0d933b133c9fca881c463a565f..21a5ef5d35291fce85f11d23cf5735f4ab0ff0a9 100644 (file)
--- a/lib/librte_ip_frag/rte_ipv6_reassembly.c
+++ b/lib/librte_ip_frag/rte_ipv6_reassembly.c
@@ -59,13 +59,14 @@ ip_frag_memmove(char *dst, char *src, int len)
  * Reassemble fragments into one packet.
  */
 struct rte_mbuf *
-ipv6_frag_reassemble(const struct ip_frag_pkt *fp)
+ipv6_frag_reassemble(struct ip_frag_pkt *fp)
 {
        struct ipv6_hdr *ip_hdr;
        struct ipv6_extension_fragment *frag_hdr;
        struct rte_mbuf *m, *prev;
        uint32_t i, n, ofs, first_len;
        uint32_t last_len, move_len, payload_len;
+       uint32_t curr_idx = 0;
 
        first_len = fp->frags[IP_FIRST_FRAG_IDX].len;
        n = fp->last_idx - 1;
@@ -74,6 +75,7 @@ ipv6_frag_reassemble(const struct ip_frag_pkt *fp)
        m = fp->frags[IP_LAST_FRAG_IDX].mb;
        ofs = fp->frags[IP_LAST_FRAG_IDX].ofs;
        last_len = fp->frags[IP_LAST_FRAG_IDX].len;
+       curr_idx = IP_LAST_FRAG_IDX;
 
        payload_len = ofs + last_len;
 
@@ -90,6 +92,10 @@ ipv6_frag_reassemble(const struct ip_frag_pkt *fp)
                                rte_pktmbuf_adj(m, (uint16_t)(m->l2_len + m->l3_len));
                                rte_pktmbuf_chain(fp->frags[i].mb, m);
 
+                               /* this mbuf should not be accessed directly */
+                               fp->frags[curr_idx].mb = NULL;
+                               curr_idx = i;
+
                                /* update our last fragment and offset. */
                                m = fp->frags[i].mb;
                                ofs = fp->frags[i].ofs;