From: "hepeng.0320" <hepeng.0...@bytedance.com>
if there are multiple pkts in the batch, the loop will access a
freed rp, which cause ovs crash.
Fixes: 4ea96698f667 ("Userspace datapath: Add fragmentation handling.")
Signed-off-by: Peng He <hepeng.0...@bytedance.com>
---
lib/ipf.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lib/ipf.c b/lib/ipf.c
index 446e89d13..c20bcc0b3 100644
--- a/lib/ipf.c
+++ b/lib/ipf.c
@@ -1153,7 +1153,7 @@ ipf_post_execute_reass_pkts(struct ipf *ipf,
/* Inner batch loop is constant time since batch size is <=
* NETDEV_MAX_BURST. */
DP_PACKET_BATCH_REFILL_FOR_EACH (pb_idx, pb_cnt, pkt, pb) {
- if (pkt == rp->list->reass_execute_ctx) {
+ if (rp && pkt == rp->list->reass_execute_ctx) {
for (int i = 0; i <= rp->list->last_inuse_idx; i++) {
rp->list->frag_list[i].pkt->md.ct_label = pkt->md.ct_label;
rp->list->frag_list[i].pkt->md.ct_mark = pkt->md.ct_mark;
@@ -1206,6 +1206,7 @@ ipf_post_execute_reass_pkts(struct ipf *ipf,
ipf_reassembled_list_remove(rp);
dp_packet_delete(rp->pkt);
free(rp);
+ rp = NULL;
} else {
dp_packet_batch_refill(pb, pkt, pb_idx);
}
--
2.20.1
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
