ip: fix use-after-free in reassembly
- ip{4,6}_reass_finalize() frees the reassembly context: do not access
it after the call.
- traces access reassembly context: free it after and not before
tracing.
Type: fix
Change-Id: Ia3aaea9c7b74932e249e013be04b9bd7298fd187
Signed-off-by: Benoît Ganne <bganne@cisco.com>
diff --git a/src/vnet/ip/reass/ip4_full_reass.c b/src/vnet/ip/reass/ip4_full_reass.c
index 18ac4d1..176c01c 100644
--- a/src/vnet/ip/reass/ip4_full_reass.c
+++ b/src/vnet/ip/reass/ip4_full_reass.c
@@ -1040,11 +1040,12 @@
reass->data_len == reass->last_packet_octet + 1)
{
*handoff_thread_idx = reass->sendout_thread_index;
+ int handoff =
+ reass->memory_owner_thread_index != reass->sendout_thread_index;
rc =
ip4_full_reass_finalize (vm, node, rm, rt, reass, bi0, next0, error0,
is_custom_app);
- if (IP4_REASS_RC_OK == rc
- && reass->memory_owner_thread_index != reass->sendout_thread_index)
+ if (IP4_REASS_RC_OK == rc && handoff)
{
rc = IP4_REASS_RC_HANDOFF;
}