it is easy to crash ovs when a packet with same id
hits a list that already reassembled completedly
but have not been sent out yet, and this packet is
not duplicate with this hit ipf list due to bigger
offset
1 0x00007f9fef0ae2d9 in __GI_abort () at abort.c:89
2 0x0000000000464042 in ipf_list_state_transition at lib/ipf.c:545
Co-authored-by: Wang Li <[email protected]>
Signed-off-by: Wang Li <[email protected]>
Signed-off-by: Li RongQing <[email protected]>
---
lib/ipf.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lib/ipf.c b/lib/ipf.c
index 4cc0f2df6..45c489122 100644
--- a/lib/ipf.c
+++ b/lib/ipf.c
@@ -899,7 +899,8 @@ ipf_handle_frag(struct ipf *ipf, struct dp_packet *pkt,
ovs_be16 dl_type,
MIN(max_frag_list_size, IPF_FRAG_LIST_MIN_INCREMENT));
hmap_insert(&ipf->frag_lists, &ipf_list->node, hash);
ipf_expiry_list_add(&ipf->frag_exp_list, ipf_list, now);
- } else if (ipf_list->state == IPF_LIST_STATE_REASS_FAIL) {
+ } else if (ipf_list->state == IPF_LIST_STATE_REASS_FAIL ||
+ ipf_list->state == IPF_LIST_STATE_COMPLETED) {
/* Bail out as early as possible. */
return false;
} else if (ipf_list->last_inuse_idx + 1 >= ipf_list->size) {
--
2.16.2
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
