diff options
author | Peng He <hepeng.0320@bytedance.com> | 2020-12-22 10:47:35 +0800 |
---|---|---|
committer | Ilya Maximets <i.maximets@ovn.org> | 2021-01-13 16:05:56 +0100 |
commit | 9713985c84c9629038bfa6b64893b1beb4b3e321 (patch) | |
tree | 425eb1ba0a0ff2f7f379c968179855b0c93d21e5 | |
parent | 6437d1b7fd499295f5250a7dab777a49311d677b (diff) | |
download | openvswitch-9713985c84c9629038bfa6b64893b1beb4b3e321.tar.gz |
ipf: Avoid accessing to a freed rp.
if there are multiple pkts in the batch, the loop will access a
freed rp, which cause ovs crash.
Fixes: 4ea96698f667 ("Userspace datapath: Add fragmentation handling.")
Signed-off-by: Peng He <hepeng.0320@bytedance.com>
Acked-by: Mark Gray <mark.d.gray@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
-rw-r--r-- | lib/ipf.c | 3 |
1 files changed, 2 insertions, 1 deletions
@@ -1153,7 +1153,7 @@ ipf_post_execute_reass_pkts(struct ipf *ipf, /* Inner batch loop is constant time since batch size is <= * NETDEV_MAX_BURST. */ DP_PACKET_BATCH_REFILL_FOR_EACH (pb_idx, pb_cnt, pkt, pb) { - if (pkt == rp->list->reass_execute_ctx) { + if (rp && pkt == rp->list->reass_execute_ctx) { for (int i = 0; i <= rp->list->last_inuse_idx; i++) { rp->list->frag_list[i].pkt->md.ct_label = pkt->md.ct_label; rp->list->frag_list[i].pkt->md.ct_mark = pkt->md.ct_mark; @@ -1206,6 +1206,7 @@ ipf_post_execute_reass_pkts(struct ipf *ipf, ipf_reassembled_list_remove(rp); dp_packet_delete(rp->pkt); free(rp); + rp = NULL; } else { dp_packet_batch_refill(pb, pkt, pb_idx); } |