From a0060659d88e1e95543cd799512548ec9fbe73ec Mon Sep 17 00:00:00 2001
From: Kingwel Xie <kingwel.xie@ericsson.com>
Date: Wed, 26 Sep 2018 04:59:52 -0400
Subject: mismatch bi0 and b0 when finalizing ip reassembly. bi0 always points
 to the first buffer in chain but b0 could be any fragment in a ip packet. It
 causes a vnet_feature_next function call to the wrong buffer and crashes
 sometime when there is >1 feature nodes under ip-unicast. The fix is simple,
 makes b0 and bi0 both pointed to the first buffer

Change-Id: I7de36e68fb42b050fa63201abd98aeb6ba2e0cd3
Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
---
 src/vnet/ip/ip4_reassembly.c | 1 +
 src/vnet/ip/ip6_reassembly.c | 1 +
 2 files changed, 2 insertions(+)

(limited to 'src/vnet')

diff --git a/src/vnet/ip/ip4_reassembly.c b/src/vnet/ip/ip4_reassembly.c
index 3466f72e518..08b3e544e02 100644
--- a/src/vnet/ip/ip4_reassembly.c
+++ b/src/vnet/ip/ip4_reassembly.c
@@ -961,6 +961,7 @@ ip4_reassembly_inline (vlib_main_t * vm,
 	      n_left_to_next -= 1;
 	      if (is_feature && IP4_ERROR_NONE == error0)
 		{
+		  b0 = vlib_get_buffer (vm, bi0);
 		  vnet_feature_next (&next0, b0);
 		}
 	      vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next,
diff --git a/src/vnet/ip/ip6_reassembly.c b/src/vnet/ip/ip6_reassembly.c
index fae0e61a72f..50445f2a181 100644
--- a/src/vnet/ip/ip6_reassembly.c
+++ b/src/vnet/ip/ip6_reassembly.c
@@ -990,6 +990,7 @@ ip6_reassembly_inline (vlib_main_t * vm,
 	      n_left_to_next -= 1;
 	      if (is_feature && IP6_ERROR_NONE == error0)
 		{
+		  b0 = vlib_get_buffer (vm, bi0);
 		  vnet_feature_next (&next0, b0);
 		}
 	      vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next,
-- 
cgit 1.2.3-korg