summaryrefslogtreecommitdiff
path: root/lib/librte_ip_frag
diff options
context:
space:
mode:
authorAllain Legacy <allain.legacy@windriver.com>2018-03-19 09:25:23 -0500
committerThomas Monjalon <thomas@monjalon.net>2018-04-15 14:44:07 +0200
commit4f512a1919998933a39886ab2ec7f2fdde48756c (patch)
tree5caf9710dec63979f9704a810a78daa2909ff514 /lib/librte_ip_frag
parent85bf2b6001d2b1aa2383d5856f71f2c9e1ebf400 (diff)
downloaddpdk-4f512a1919998933a39886ab2ec7f2fdde48756c.zip
dpdk-4f512a1919998933a39886ab2ec7f2fdde48756c.tar.gz
dpdk-4f512a1919998933a39886ab2ec7f2fdde48756c.tar.xz
ip_frag: fix double free of chained mbufs
The first mbuf and the last mbuf to be visited in the preceding loop are not set to NULL in the fragmentation table. This creates the possibility of a double free when the fragmentation table is later freed with rte_ip_frag_table_destroy(). Fixes: 95908f52393d ("ip_frag: free mbufs on reassembly table destroy") Cc: stable@dpdk.org Signed-off-by: Allain Legacy <allain.legacy@windriver.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Diffstat (limited to 'lib/librte_ip_frag')
-rw-r--r--lib/librte_ip_frag/rte_ipv4_reassembly.c2
-rw-r--r--lib/librte_ip_frag/rte_ipv6_reassembly.c2
2 files changed, 4 insertions, 0 deletions
diff --git a/lib/librte_ip_frag/rte_ipv4_reassembly.c b/lib/librte_ip_frag/rte_ipv4_reassembly.c
index 82e831c..4956b99 100644
--- a/lib/librte_ip_frag/rte_ipv4_reassembly.c
+++ b/lib/librte_ip_frag/rte_ipv4_reassembly.c
@@ -59,7 +59,9 @@ ipv4_frag_reassemble(struct ip_frag_pkt *fp)
/* chain with the first fragment. */
rte_pktmbuf_adj(m, (uint16_t)(m->l2_len + m->l3_len));
rte_pktmbuf_chain(fp->frags[IP_FIRST_FRAG_IDX].mb, m);
+ fp->frags[curr_idx].mb = NULL;
m = fp->frags[IP_FIRST_FRAG_IDX].mb;
+ fp->frags[IP_FIRST_FRAG_IDX].mb = NULL;
/* update mbuf fields for reassembled packet. */
m->ol_flags |= PKT_TX_IP_CKSUM;
diff --git a/lib/librte_ip_frag/rte_ipv6_reassembly.c b/lib/librte_ip_frag/rte_ipv6_reassembly.c
index 3479fab..db249fe 100644
--- a/lib/librte_ip_frag/rte_ipv6_reassembly.c
+++ b/lib/librte_ip_frag/rte_ipv6_reassembly.c
@@ -82,7 +82,9 @@ ipv6_frag_reassemble(struct ip_frag_pkt *fp)
/* chain with the first fragment. */
rte_pktmbuf_adj(m, (uint16_t)(m->l2_len + m->l3_len));
rte_pktmbuf_chain(fp->frags[IP_FIRST_FRAG_IDX].mb, m);
+ fp->frags[curr_idx].mb = NULL;
m = fp->frags[IP_FIRST_FRAG_IDX].mb;
+ fp->frags[IP_FIRST_FRAG_IDX].mb = NULL;
/* update mbuf fields for reassembled packet. */
m->ol_flags |= PKT_TX_IP_CKSUM;