On 22/12/2020 02:47, Peng He wrote: > From: "hepeng.0320" <[email protected]> > > if there are multiple pkts in the batch, the loop will access a > freed rp, which cause ovs crash. > > Fixes: 4ea96698f667 ("Userspace datapath: Add fragmentation handling.") > Signed-off-by: Peng He <[email protected]> > --- > lib/ipf.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/lib/ipf.c b/lib/ipf.c > index 446e89d13..c20bcc0b3 100644 > --- a/lib/ipf.c > +++ b/lib/ipf.c > @@ -1153,7 +1153,7 @@ ipf_post_execute_reass_pkts(struct ipf *ipf, > /* Inner batch loop is constant time since batch size is <= > * NETDEV_MAX_BURST. */ > DP_PACKET_BATCH_REFILL_FOR_EACH (pb_idx, pb_cnt, pkt, pb) { > - if (pkt == rp->list->reass_execute_ctx) { > + if (rp && pkt == rp->list->reass_execute_ctx) { > for (int i = 0; i <= rp->list->last_inuse_idx; i++) { > rp->list->frag_list[i].pkt->md.ct_label = > pkt->md.ct_label; > rp->list->frag_list[i].pkt->md.ct_mark = pkt->md.ct_mark; > @@ -1206,6 +1206,7 @@ ipf_post_execute_reass_pkts(struct ipf *ipf, > ipf_reassembled_list_remove(rp); > dp_packet_delete(rp->pkt); > free(rp); > + rp = NULL; > } else { > dp_packet_batch_refill(pb, pkt, pb_idx); > } > Looks ok to me. If you have to respin it, it would be good to add a comment but the logic seems ok.
Acked-by: Mark Gray <[email protected]> _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
