From 2d0ebd7ebc555565868038a09d80a61f5de29430 Mon Sep 17 00:00:00 2001 From: Benoît Ganne Date: Fri, 19 Jul 2019 13:42:12 +0200 Subject: ip: fix use-after-free in reassembly MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - ip{4,6}_reass_finalize() frees the reassembly context: do not access it after the call. - traces access reassembly context: free it after and not before tracing. Type: fix Change-Id: Ia3aaea9c7b74932e249e013be04b9bd7298fd187 Signed-off-by: Benoît Ganne --- src/vnet/ip/reass/ip4_full_reass.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'src/vnet/ip/reass/ip4_full_reass.c') diff --git a/src/vnet/ip/reass/ip4_full_reass.c b/src/vnet/ip/reass/ip4_full_reass.c index 18ac4d1b1b0..176c01c74fb 100644 --- a/src/vnet/ip/reass/ip4_full_reass.c +++ b/src/vnet/ip/reass/ip4_full_reass.c @@ -1040,11 +1040,12 @@ ip4_full_reass_update (vlib_main_t * vm, vlib_node_runtime_t * node, reass->data_len == reass->last_packet_octet + 1) { *handoff_thread_idx = reass->sendout_thread_index; + int handoff = + reass->memory_owner_thread_index != reass->sendout_thread_index; rc = ip4_full_reass_finalize (vm, node, rm, rt, reass, bi0, next0, error0, is_custom_app); - if (IP4_REASS_RC_OK == rc - && reass->memory_owner_thread_index != reass->sendout_thread_index) + if (IP4_REASS_RC_OK == rc && handoff) { rc = IP4_REASS_RC_HANDOFF; } -- cgit 1.2.3-korg