ipf: Avoid accessing to a freed rp.

if there are multiple pkts in the batch, the loop will access a freed rp, which cause ovs crash. Fixes: 4ea9669 ("Userspace datapath: Add fragmentation handling.") Signed-off-by: Peng He <hepeng.0320@bytedance.com> Acked-by: Mark Gray <mark.d.gray@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
openvswitch · Jan 13, 2021 · 54a40f2 · 54a40f2
1 parent ed45e64
commit 54a40f2
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/lib/ipf.c b/lib/ipf.c
@@ -1150,7 +1150,7 @@ ipf_post_execute_reass_pkts(struct ipf *ipf,
         /* Inner batch loop is constant time since batch size is <=
          * NETDEV_MAX_BURST. */
         DP_PACKET_BATCH_REFILL_FOR_EACH (pb_idx, pb_cnt, pkt, pb) {
-            if (pkt == rp->list->reass_execute_ctx) {
+            if (rp && pkt == rp->list->reass_execute_ctx) {
                 for (int i = 0; i <= rp->list->last_inuse_idx; i++) {
                     rp->list->frag_list[i].pkt->md.ct_label = pkt->md.ct_label;
                     rp->list->frag_list[i].pkt->md.ct_mark = pkt->md.ct_mark;
@@ -1198,6 +1198,7 @@ ipf_post_execute_reass_pkts(struct ipf *ipf,
                 ipf_reassembled_list_remove(rp);
                 dp_packet_delete(rp->pkt);
                 free(rp);
+                rp = NULL;
             } else {
                 dp_packet_batch_refill(pb, pkt, pb_idx);
             }