From 4f512a1919998933a39886ab2ec7f2fdde48756c Mon Sep 17 00:00:00 2001 From: Allain Legacy Date: Mon, 19 Mar 2018 09:25:23 -0500 Subject: [PATCH] ip_frag: fix double free of chained mbufs The first mbuf and the last mbuf to be visited in the preceding loop are not set to NULL in the fragmentation table. This creates the possibility of a double free when the fragmentation table is later freed with rte_ip_frag_table_destroy(). Fixes: 95908f52393d ("ip_frag: free mbufs on reassembly table destroy") Cc: stable@dpdk.org Signed-off-by: Allain Legacy Acked-by: Konstantin Ananyev --- lib/librte_ip_frag/rte_ipv4_reassembly.c | 2 ++ lib/librte_ip_frag/rte_ipv6_reassembly.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/lib/librte_ip_frag/rte_ipv4_reassembly.c b/lib/librte_ip_frag/rte_ipv4_reassembly.c index 82e831ca30..4956b99eab 100644 --- a/lib/librte_ip_frag/rte_ipv4_reassembly.c +++ b/lib/librte_ip_frag/rte_ipv4_reassembly.c @@ -59,7 +59,9 @@ ipv4_frag_reassemble(struct ip_frag_pkt *fp) /* chain with the first fragment. */ rte_pktmbuf_adj(m, (uint16_t)(m->l2_len + m->l3_len)); rte_pktmbuf_chain(fp->frags[IP_FIRST_FRAG_IDX].mb, m); + fp->frags[curr_idx].mb = NULL; m = fp->frags[IP_FIRST_FRAG_IDX].mb; + fp->frags[IP_FIRST_FRAG_IDX].mb = NULL; /* update mbuf fields for reassembled packet. */ m->ol_flags |= PKT_TX_IP_CKSUM; diff --git a/lib/librte_ip_frag/rte_ipv6_reassembly.c b/lib/librte_ip_frag/rte_ipv6_reassembly.c index 3479fabb8f..db249fe600 100644 --- a/lib/librte_ip_frag/rte_ipv6_reassembly.c +++ b/lib/librte_ip_frag/rte_ipv6_reassembly.c @@ -82,7 +82,9 @@ ipv6_frag_reassemble(struct ip_frag_pkt *fp) /* chain with the first fragment. */ rte_pktmbuf_adj(m, (uint16_t)(m->l2_len + m->l3_len)); rte_pktmbuf_chain(fp->frags[IP_FIRST_FRAG_IDX].mb, m); + fp->frags[curr_idx].mb = NULL; m = fp->frags[IP_FIRST_FRAG_IDX].mb; + fp->frags[IP_FIRST_FRAG_IDX].mb = NULL; /* update mbuf fields for reassembled packet. */ m->ol_flags |= PKT_TX_IP_CKSUM; -- 2.20.1