[1/2] net/af_xdp: fix use after free in af_xdp_tx_zc()
Checks
Commit Message
tx_bytes is computed after both branches are tested. This might
produce a use after memory free.
The computation is now moved into both branches.
Bugzilla ID: 1440
Fixes: d8a210774e1d ("net/af_xdp: support unaligned umem chunks")
Signed-off-by: Ariel Otilibili <ariel.otilibili@6wind.com>
---
drivers/net/af_xdp/rte_eth_af_xdp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
Comments
On Thu, 16 Jan 2025 20:56:38 +0100
Ariel Otilibili <ariel.otilibili@6wind.com> wrote:
> tx_bytes is computed after both branches are tested. This might
> produce a use after memory free.
>
> The computation is now moved into both branches.
>
> Bugzilla ID: 1440
> Fixes: d8a210774e1d ("net/af_xdp: support unaligned umem chunks")
> Signed-off-by: Ariel Otilibili <ariel.otilibili@6wind.com>
> ---
Acked-by: Stephen Hemminger <stephen@networkplumber.org>
Hello Stephen,
On Thu, Jan 30, 2025 at 7:24 PM Stephen Hemminger <
stephen@networkplumber.org> wrote:
> Acked-by: Stephen Hemminger <stephen@networkplumber.org>
>
Thanks for having looked into the patch; I have ACKed the fourth version by
your name,
https://inbox.dpdk.org/dev/20250130221853.789366-2-ariel.otilibili@6wind.com/
Regards,
Ariel
@@ -574,6 +574,7 @@ af_xdp_tx_zc(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts)
umem->mb_pool->header_size;
offset = offset << XSK_UNALIGNED_BUF_OFFSET_SHIFT;
desc->addr = addr | offset;
+ tx_bytes += mbuf->pkt_len;
count++;
} else {
struct rte_mbuf *local_mbuf =
@@ -601,11 +602,10 @@ af_xdp_tx_zc(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts)
desc->addr = addr | offset;
rte_memcpy(pkt, rte_pktmbuf_mtod(mbuf, void *),
desc->len);
+ tx_bytes += mbuf->pkt_len;
rte_pktmbuf_free(mbuf);
count++;
}
-
- tx_bytes += mbuf->pkt_len;
}
out: