ip: fix use-after-free in reassembly

 - ip{4,6}_reass_finalize() frees the reassembly context: do not access
it after the call.
 - traces access reassembly context: free it after and not before
tracing.

Type: fix

Change-Id: Ia3aaea9c7b74932e249e013be04b9bd7298fd187
Signed-off-by: Benoît Ganne <bganne@cisco.com>
diff --git a/src/vnet/ip/reass/ip6_full_reass.c b/src/vnet/ip/reass/ip6_full_reass.c
index 0b41dea..92fab60 100644
--- a/src/vnet/ip/reass/ip6_full_reass.c
+++ b/src/vnet/ip/reass/ip6_full_reass.c
@@ -885,13 +885,13 @@
       else
 	{
 	  // overlapping fragment - not allowed by RFC 8200
-	  ip6_full_reass_drop_all (vm, node, rm, reass);
-	  ip6_full_reass_free (rm, rt, reass);
 	  if (PREDICT_FALSE (fb->flags & VLIB_BUFFER_IS_TRACED))
 	    {
 	      ip6_full_reass_add_trace (vm, node, rm, reass, *bi0,
 					RANGE_OVERLAP, ~0);
 	    }
+	  ip6_full_reass_drop_all (vm, node, rm, reass);
+	  ip6_full_reass_free (rm, rt, reass);
 	  *next0 = IP6_FULL_REASSEMBLY_NEXT_DROP;
 	  *error0 = IP6_ERROR_REASS_OVERLAPPING_FRAGMENT;
 	  return IP6_FULL_REASS_RC_OK;
@@ -911,11 +911,12 @@
       reass->data_len == reass->last_packet_octet + 1)
     {
       *handoff_thread_idx = reass->sendout_thread_index;
+      int handoff =
+	reass->memory_owner_thread_index != reass->sendout_thread_index;
       ip6_full_reass_rc_t rc =
 	ip6_full_reass_finalize (vm, node, rm, rt, reass, bi0, next0, error0,
 				 is_custom_app);
-      if (IP6_FULL_REASS_RC_OK == rc
-	  && reass->memory_owner_thread_index != reass->sendout_thread_index)
+      if (IP6_FULL_REASS_RC_OK == rc && handoff)
 	{
 	  return IP6_FULL_REASS_RC_HANDOFF;
 	}