commit cf7803d2e864fb71f14943a544ac309d3d0510cb
author Benoît Ganne <bganne@cisco.com> Wed Oct 23 13:53:49 2019 +0200
committer Ole Trøan <otroan@employees.org> Mon Oct 28 09:13:50 2019 +0000
tree 2c12f423d25fe37c2596a31b8e09742d95628e77
parent 1b1ccadc900deffd7b8e306ae8dce79a3115778c

ip: reassembly: fix use-after-free

When processing the last buffer of a reassembled packet, the current
buffer will be freed and must be reloaded using the updated index.

Type: fix

Change-Id: Ib39e29e60eb527b4cd4828a3aa37d82c8dddd709
Signed-off-by: Benoît Ganne <bganne@cisco.com>

src/vnet/ip/reass/ip4_full_reass.c

diff --git a/src/vnet/ip/reass/ip4_full_reass.c b/src/vnet/ip/reass/ip4_full_reass.c
index 303f233..f6c0546 100644
--- a/src/vnet/ip/reass/ip4_full_reass.c
+++ b/src/vnet/ip/reass/ip4_full_reass.c
@@ -1224,13 +1224,17 @@
 
 
 	packet_enqueue:
-	  b0->error = node->errors[error0];
 
 	  if (bi0 != ~0)
 	    {
 	      to_next[0] = bi0;
 	      to_next += 1;
 	      n_left_to_next -= 1;
+
+	      /* bi0 might have been updated by reass_finalize, reload */
+	      b0 = vlib_get_buffer (vm, bi0);
+	      b0->error = node->errors[error0];
+
 	      if (next0 == IP4_FULL_REASS_NEXT_HANDOFF)
 		{
 		  if (PREDICT_FALSE (b0->flags & VLIB_BUFFER_IS_TRACED))
@@ -1243,7 +1247,6 @@
 		}
 	      else if (is_feature && IP4_ERROR_NONE == error0)
 		{
-		  b0 = vlib_get_buffer (vm, bi0);
 		  vnet_feature_next (&next0, b0);
 		}
 	      vlib_validate_buffer_enqueue_x1 (vm, node, next_index,