42 lines
1.6 KiB
Diff
42 lines
1.6 KiB
Diff
|
From af2cab63f95dfd84f3ae105524bd3fb7377a7391 Mon Sep 17 00:00:00 2001
|
||
|
|
From: Li RongQing <lirongqing@baidu.com>
|
||
|
|
Date: Thu, 14 Nov 2019 17:18:18 +0800
|
||
|
|
Subject: ipf: bail out when ipf state is COMPLETED
|
||
|
|
|
||
|
|
it is easy to crash ovs when a packet with same id
|
||
|
|
hits a list that already reassembled completedly
|
||
|
|
but have not been sent out yet, and this packet is
|
||
|
|
not duplicate with this hit ipf list due to bigger
|
||
|
|
offset
|
||
|
|
|
||
|
|
1 0x00007f9fef0ae2d9 in __GI_abort () at abort.c:89
|
||
|
|
2 0x0000000000464042 in ipf_list_state_transition at lib/ipf.c:545
|
||
|
|
|
||
|
|
Fixes: 4ea96698f667 ("Userspace datapath: Add fragmentation handling.")
|
||
|
|
Co-authored-by: Wang Li <wangli39@baidu.com>
|
||
|
|
Signed-off-by: Wang Li <wangli39@baidu.com>
|
||
|
|
Signed-off-by: Li RongQing <lirongqing@baidu.com>
|
||
|
|
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
||
|
|
---
|
||
|
|
lib/ipf.c | 3 ++-
|
||
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||
|
|
|
||
|
|
diff --git a/lib/ipf.c b/lib/ipf.c
|
||
|
|
index 4cc0f2df6..45c489122 100644
|
||
|
|
--- a/lib/ipf.c
|
||
|
|
+++ b/lib/ipf.c
|
||
|
|
@@ -899,7 +899,8 @@ ipf_handle_frag(struct ipf *ipf, struct dp_packet *pkt, ovs_be16 dl_type,
|
||
|
|
MIN(max_frag_list_size, IPF_FRAG_LIST_MIN_INCREMENT));
|
||
|
|
hmap_insert(&ipf->frag_lists, &ipf_list->node, hash);
|
||
|
|
ipf_expiry_list_add(&ipf->frag_exp_list, ipf_list, now);
|
||
|
|
- } else if (ipf_list->state == IPF_LIST_STATE_REASS_FAIL) {
|
||
|
|
+ } else if (ipf_list->state == IPF_LIST_STATE_REASS_FAIL ||
|
||
|
|
+ ipf_list->state == IPF_LIST_STATE_COMPLETED) {
|
||
|
|
/* Bail out as early as possible. */
|
||
|
|
return false;
|
||
|
|
} else if (ipf_list->last_inuse_idx + 1 >= ipf_list->size) {
|
||
|
|
--
|
||
|
|
2.14.1
|
||
|
|
|
||
|
|
|