[ovs-dev] [PATCH v2] ipf: avoid accessing to a freed rp.
Ilya Maximets
i.maximets at ovn.org
Wed Jan 13 23:31:49 UTC 2021
On 1/12/21 5:46 PM, Mark Gray wrote:
> On 22/12/2020 02:47, Peng He wrote:
>> From: "hepeng.0320" <hepeng.0320 at bytedance.com>
>>
>> if there are multiple pkts in the batch, the loop will access a
>> freed rp, which cause ovs crash.
>>
>> Fixes: 4ea96698f667 ("Userspace datapath: Add fragmentation handling.")
>> Signed-off-by: Peng He <hepeng.0320 at bytedance.com>
>> ---
>> lib/ipf.c | 3 ++-
>> 1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/lib/ipf.c b/lib/ipf.c
>> index 446e89d13..c20bcc0b3 100644
>> --- a/lib/ipf.c
>> +++ b/lib/ipf.c
>> @@ -1153,7 +1153,7 @@ ipf_post_execute_reass_pkts(struct ipf *ipf,
>> /* Inner batch loop is constant time since batch size is <=
>> * NETDEV_MAX_BURST. */
>> DP_PACKET_BATCH_REFILL_FOR_EACH (pb_idx, pb_cnt, pkt, pb) {
>> - if (pkt == rp->list->reass_execute_ctx) {
>> + if (rp && pkt == rp->list->reass_execute_ctx) {
>> for (int i = 0; i <= rp->list->last_inuse_idx; i++) {
>> rp->list->frag_list[i].pkt->md.ct_label = pkt->md.ct_label;
>> rp->list->frag_list[i].pkt->md.ct_mark = pkt->md.ct_mark;
>> @@ -1206,6 +1206,7 @@ ipf_post_execute_reass_pkts(struct ipf *ipf,
>> ipf_reassembled_list_remove(rp);
>> dp_packet_delete(rp->pkt);
>> free(rp);
>> + rp = NULL;
>> } else {
>> dp_packet_batch_refill(pb, pkt, pb_idx);
>> }
>>
> Looks ok to me. If you have to respin it, it would be good to add a
> comment but the logic seems ok.
>
> Acked-by: Mark Gray <mark.d.gray at redhat.com>
>
Thanks! Applied to master and backported down to 2.12.
Best regards, Ilya Maximets.
More information about the dev
mailing list