diff options
| author |   Kingwel Xie <kingwel.xie@ericsson.com> | 2018-09-26 04:59:52 -0400 |
|---|---|---|
| committer |   Damjan Marion <dmarion@me.com> | 2018-09-26 15:48:38 +0000 |
| commit | a0060659d88e1e95543cd799512548ec9fbe73ec (patch) | |
| tree | 48227a22676e5096fecabac1cdf96365c764760b /src/vnet/ip | |
| parent | 02756074759ca47f4c637e1ff34644a11d64140a (diff) | |
mismatch bi0 and b0 when finalizing ip reassembly.
bi0 always points to the first buffer in chain but b0 could be any fragment in a ip packet.
It causes a vnet_feature_next function call to the wrong buffer
and crashes sometime when there is >1 feature nodes under ip-unicast.
The fix is simple, makes b0 and bi0 both pointed to the first buffer
Change-Id: I7de36e68fb42b050fa63201abd98aeb6ba2e0cd3
Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
Diffstat (limited to 'src/vnet/ip')
| -rw-r--r-- | src/vnet/ip/ip4_reassembly.c | 1 | ||||
| -rw-r--r-- | src/vnet/ip/ip6_reassembly.c | 1 |
2 files changed, 2 insertions, 0 deletions
diff --git a/src/vnet/ip/ip4_reassembly.c b/src/vnet/ip/ip4_reassembly.c index 3466f72e518..08b3e544e02 100644 --- a/src/vnet/ip/ip4_reassembly.c +++ b/src/vnet/ip/ip4_reassembly.c @@ -961,6 +961,7 @@ ip4_reassembly_inline (vlib_main_t * vm, n_left_to_next -= 1; if (is_feature && IP4_ERROR_NONE == error0) { + b0 = vlib_get_buffer (vm, bi0); vnet_feature_next (&next0, b0); } vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next, diff --git a/src/vnet/ip/ip6_reassembly.c b/src/vnet/ip/ip6_reassembly.c index fae0e61a72f..50445f2a181 100644 --- a/src/vnet/ip/ip6_reassembly.c +++ b/src/vnet/ip/ip6_reassembly.c @@ -990,6 +990,7 @@ ip6_reassembly_inline (vlib_main_t * vm, n_left_to_next -= 1; if (is_feature && IP6_ERROR_NONE == error0) { + b0 = vlib_get_buffer (vm, bi0); vnet_feature_next (&next0, b0); } vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next, |