From 35ae44d1e25e2c3556956e2bc78a0e1c63cc9a11 Mon Sep 17 00:00:00 2001 From: Anatoly Burakov Date: Fri, 13 Apr 2018 12:55:00 +0100 Subject: [PATCH] ipc: fix use-after-free in asynchronous requests Previously, we were removing request from the list only if we have succeeded to send it. This resulted in leaving an invalid pointer in the request list. Fix this by only adding new requests to the request list if we have succeeded in sending them. Fixes: f05e26051c15 ("eal: add IPC asynchronous request") Signed-off-by: Anatoly Burakov Acked-by: Jianfeng Tan --- lib/librte_eal/common/eal_common_proc.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/lib/librte_eal/common/eal_common_proc.c b/lib/librte_eal/common/eal_common_proc.c index e3eb43011d..a8ca7b8cc4 100644 --- a/lib/librte_eal/common/eal_common_proc.c +++ b/lib/librte_eal/common/eal_common_proc.c @@ -876,9 +876,7 @@ mp_request_async(const char *dst, struct rte_mp_msg *req, /* queue already locked by caller */ exist = find_sync_request(dst, req->name); - if (!exist) { - TAILQ_INSERT_TAIL(&pending_requests.requests, sync_req, next); - } else { + if (exist) { RTE_LOG(ERR, EAL, "A pending request %s:%s\n", dst, req->name); rte_errno = EEXIST; ret = -1; @@ -895,6 +893,7 @@ mp_request_async(const char *dst, struct rte_mp_msg *req, ret = 0; goto fail; } + TAILQ_INSERT_TAIL(&pending_requests.requests, sync_req, next); param->user_reply.nb_sent++; -- 2.20.1