ping
于2020年10月14日星期三 11:15 <hepeng.0...@bytedance.com> 写道:
if there are multiple pkts in the batch, the loop will access a freed rp,
which cause ovs crash. --- lib/ipf.c | 3 ++- 1 file changed, 2
insertions(+), 1 deletion(-) diff --git a/lib/ipf.c b/lib/ipf.c index
446e89d13..c20bcc0b3 100644 --- a/lib/ipf.c +++ b/lib/ipf.c @@ -1153,7
+1153,7 @@ ipf_post_execute_reass_pkts(struct ipf *ipf, /* Inner batch loop
is constant time since batch size is <= * NETDEV_MAX_BURST. */
DP_PACKET_BATCH_REFILL_FOR_EACH (pb_idx, pb_cnt, pkt, pb) { - if (pkt ==
rp->list->reass_execute_ctx) { + if (rp && pkt ==
rp->list->reass_execute_ctx) { for (int i = 0; i <=
rp->list->last_inuse_idx; i++) { rp->list->frag_list[i].pkt->md.ct_label =
pkt->md.ct_label; rp->list->frag_list[i].pkt->md.ct_mark = pkt->md.ct_mark;
@@ -1206,6 +1206,7 @@ ipf_post_execute_reass_pkts(struct ipf *ipf,
ipf_reassembled_list_remove(rp); dp_packet_delete(rp->pkt); free(rp); + rp
= NULL; } else { dp_packet_batch_refill(pb, pkt, pb_idx); } -- 2.20.1
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
