diff options
author | Benoît Ganne <bganne@cisco.com> | 2019-10-23 13:53:49 +0200 |
---|---|---|
committer | Ole Trøan <otroan@employees.org> | 2019-10-28 09:13:50 +0000 |
commit | cf7803d2e864fb71f14943a544ac309d3d0510cb (patch) | |
tree | 2c12f423d25fe37c2596a31b8e09742d95628e77 /src/vnet/ip/reass/ip4_full_reass.c | |
parent | 1b1ccadc900deffd7b8e306ae8dce79a3115778c (diff) |
ip: reassembly: fix use-after-free
When processing the last buffer of a reassembled packet, the current
buffer will be freed and must be reloaded using the updated index.
Type: fix
Change-Id: Ib39e29e60eb527b4cd4828a3aa37d82c8dddd709
Signed-off-by: Benoît Ganne <bganne@cisco.com>
Diffstat (limited to 'src/vnet/ip/reass/ip4_full_reass.c')
-rw-r--r-- | src/vnet/ip/reass/ip4_full_reass.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/src/vnet/ip/reass/ip4_full_reass.c b/src/vnet/ip/reass/ip4_full_reass.c index 303f23337ee..f6c05466e19 100644 --- a/src/vnet/ip/reass/ip4_full_reass.c +++ b/src/vnet/ip/reass/ip4_full_reass.c @@ -1224,13 +1224,17 @@ ip4_full_reass_inline (vlib_main_t * vm, vlib_node_runtime_t * node, packet_enqueue: - b0->error = node->errors[error0]; if (bi0 != ~0) { to_next[0] = bi0; to_next += 1; n_left_to_next -= 1; + + /* bi0 might have been updated by reass_finalize, reload */ + b0 = vlib_get_buffer (vm, bi0); + b0->error = node->errors[error0]; + if (next0 == IP4_FULL_REASS_NEXT_HANDOFF) { if (PREDICT_FALSE (b0->flags & VLIB_BUFFER_IS_TRACED)) @@ -1243,7 +1247,6 @@ ip4_full_reass_inline (vlib_main_t * vm, vlib_node_runtime_t * node, } else if (is_feature && IP4_ERROR_NONE == error0) { - b0 = vlib_get_buffer (vm, bi0); vnet_feature_next (&next0, b0); } vlib_validate_buffer_enqueue_x1 (vm, node, next_index, |