[ovs-dev] [PATCH v2] ipf: avoid accessing to a freed rp.

Wed Jan 13 23:31:49 UTC 2021

On 1/12/21 5:46 PM, Mark Gray wrote:
> On 22/12/2020 02:47, Peng He wrote:
>> From: "hepeng.0320" <hepeng.0320 at bytedance.com>
>>
>> if there are multiple pkts in the batch, the loop will access a
>> freed rp, which cause ovs crash.
>>
>> Fixes: 4ea96698f667 ("Userspace datapath: Add fragmentation handling.")
>> Signed-off-by: Peng He <hepeng.0320 at bytedance.com>
>> ---
>>  lib/ipf.c | 3 ++-
>>  1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/lib/ipf.c b/lib/ipf.c
>> index 446e89d13..c20bcc0b3 100644
>> --- a/lib/ipf.c
>> +++ b/lib/ipf.c
>> @@ -1153,7 +1153,7 @@ ipf_post_execute_reass_pkts(struct ipf *ipf,
>>          /* Inner batch loop is constant time since batch size is <=
>>           * NETDEV_MAX_BURST. */
>>          DP_PACKET_BATCH_REFILL_FOR_EACH (pb_idx, pb_cnt, pkt, pb) {
>> -            if (pkt == rp->list->reass_execute_ctx) {
>> +            if (rp && pkt == rp->list->reass_execute_ctx) {
>>                  for (int i = 0; i <= rp->list->last_inuse_idx; i++) {
>>                      rp->list->frag_list[i].pkt->md.ct_label = pkt->md.ct_label;
>>                      rp->list->frag_list[i].pkt->md.ct_mark = pkt->md.ct_mark;
>> @@ -1206,6 +1206,7 @@ ipf_post_execute_reass_pkts(struct ipf *ipf,
>>                  ipf_reassembled_list_remove(rp);
>>                  dp_packet_delete(rp->pkt);
>>                  free(rp);
>> +                rp = NULL;
>>              } else {
>>                  dp_packet_batch_refill(pb, pkt, pb_idx);
>>              }
>>
> Looks ok to me. If you have to respin it, it would be good to add a
> comment but the logic seems ok.
> 
> Acked-by: Mark Gray <mark.d.gray at redhat.com>
> 

Thanks!  Applied to master and backported down to 2.12.

Best regards, Ilya Maximets.