From 82ae1a485ecb6e541134f49ebe3aa322deb60c89 Mon Sep 17 00:00:00 2001
From: Benoît Ganne <bganne@cisco.com>
Date: Wed, 23 Oct 2019 13:53:49 +0200
Subject: ip: reassembly: fix use-after-free
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When processing the last buffer of a reassembled packet, the current
buffer will be freed and must be reloaded using the updated index.

Type: fix

Change-Id: Ib39e29e60eb527b4cd4828a3aa37d82c8dddd709
Signed-off-by: Benoît Ganne <bganne@cisco.com>
(cherry picked from commit cf7803d2e864fb71f14943a544ac309d3d0510cb)
---
 src/vnet/ip/reass/ip4_full_reass.c | 7 +++++--
 src/vnet/ip/reass/ip6_full_reass.c | 8 +++++---
 2 files changed, 10 insertions(+), 5 deletions(-)

(limited to 'src/vnet/ip')

diff --git a/src/vnet/ip/reass/ip4_full_reass.c b/src/vnet/ip/reass/ip4_full_reass.c
index 73e820f5427..a2d08a4909c 100644
--- a/src/vnet/ip/reass/ip4_full_reass.c
+++ b/src/vnet/ip/reass/ip4_full_reass.c
@@ -1208,13 +1208,17 @@ ip4_full_reass_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 
 
 	packet_enqueue:
-	  b0->error = node->errors[error0];
 
 	  if (bi0 != ~0)
 	    {
 	      to_next[0] = bi0;
 	      to_next += 1;
 	      n_left_to_next -= 1;
+
+	      /* bi0 might have been updated by reass_finalize, reload */
+	      b0 = vlib_get_buffer (vm, bi0);
+	      b0->error = node->errors[error0];
+
 	      if (next0 == IP4_FULL_REASS_NEXT_HANDOFF)
 		{
 		  if (PREDICT_FALSE (b0->flags & VLIB_BUFFER_IS_TRACED))
@@ -1233,7 +1237,6 @@ ip4_full_reass_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 		}
 	      else if (is_feature && IP4_ERROR_NONE == error0)
 		{
-		  b0 = vlib_get_buffer (vm, bi0);
 		  vnet_feature_next (&next0, b0);
 		}
 	      vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
diff --git a/src/vnet/ip/reass/ip6_full_reass.c b/src/vnet/ip/reass/ip6_full_reass.c
index 10acd0e1eda..6848f59c65c 100644
--- a/src/vnet/ip/reass/ip6_full_reass.c
+++ b/src/vnet/ip/reass/ip6_full_reass.c
@@ -1168,14 +1168,17 @@ ip6_full_reassembly_inline (vlib_main_t * vm,
 	      error0 = IP6_ERROR_REASS_LIMIT_REACHED;
 	    }
 
-	  b0->error = node->errors[error0];
-
 	  if (~0 != bi0)
 	    {
 	    skip_reass:
 	      to_next[0] = bi0;
 	      to_next += 1;
 	      n_left_to_next -= 1;
+
+	      /* bi0 might have been updated by reass_finalize, reload */
+	      b0 = vlib_get_buffer (vm, bi0);
+	      b0->error = node->errors[error0];
+
 	      if (next0 == IP6_FULL_REASSEMBLY_NEXT_HANDOFF)
 		{
 		  if (PREDICT_FALSE (b0->flags & VLIB_BUFFER_IS_TRACED))
@@ -1194,7 +1197,6 @@ ip6_full_reassembly_inline (vlib_main_t * vm,
 		}
 	      else if (is_feature && IP6_ERROR_NONE == error0)
 		{
-		  b0 = vlib_get_buffer (vm, bi0);
 		  vnet_feature_next (&next0, b0);
 		}
 	      vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next,
-- 
cgit 1.2.3-korg