[dpdk-dev] ip_frag: fix double free of chained mbufs
Checks
Commit Message
The first mbuf and the last mbuf to be visited in the preceeding loop
are not set to NULL in the fragmentation table. This creates the
possibility of a double free when the fragmentation table is later freed
with rte_ip_frag_table_destroy().
Fixes: 95908f52393d ("ip_frag: free mbufs on reassembly table destroy")
Signed-off-by: Allain Legacy <allain.legacy@windriver.com>
---
lib/librte_ip_frag/rte_ipv4_reassembly.c | 4 +++-
lib/librte_ip_frag/rte_ipv6_reassembly.c | 2 ++
2 files changed, 5 insertions(+), 1 deletion(-)
@@ -25,7 +25,7 @@ ipv4_frag_reassemble(struct ip_frag_pkt *fp)
/*start from the last fragment. */
m = fp->frags[IP_LAST_FRAG_IDX].mb;
ofs = fp->frags[IP_LAST_FRAG_IDX].ofs;
- curr_idx = IP_LAST_FRAG_IDX;
+ curr_idx = IP_LAST_FRAG_IDX;
while (ofs != first_len) {
@@ -59,7 +59,9 @@ ipv4_frag_reassemble(struct ip_frag_pkt *fp)
/* chain with the first fragment. */
rte_pktmbuf_adj(m, (uint16_t)(m->l2_len + m->l3_len));
rte_pktmbuf_chain(fp->frags[IP_FIRST_FRAG_IDX].mb, m);
+ fp->frags[curr_idx].mb = NULL;
m = fp->frags[IP_FIRST_FRAG_IDX].mb;
+ fp->frags[IP_FIRST_FRAG_IDX].mb = NULL;
/* update mbuf fields for reassembled packet. */
m->ol_flags |= PKT_TX_IP_CKSUM;
@@ -82,7 +82,9 @@ ipv6_frag_reassemble(struct ip_frag_pkt *fp)
/* chain with the first fragment. */
rte_pktmbuf_adj(m, (uint16_t)(m->l2_len + m->l3_len));
rte_pktmbuf_chain(fp->frags[IP_FIRST_FRAG_IDX].mb, m);
+ fp->frags[curr_idx].mb = NULL;
m = fp->frags[IP_FIRST_FRAG_IDX].mb;
+ fp->frags[IP_FIRST_FRAG_IDX].mb = NULL;
/* update mbuf fields for reassembled packet. */
m->ol_flags |= PKT_TX_IP_CKSUM;