From mboxrd@z Thu Jan 1 00:00:00 1970 From: Christian Ehrhardt Subject: [PATCH 4/5] lpm: fix use after free of lpm in rte_lpm_create* Date: Wed, 16 Mar 2016 15:16:32 +0100 Message-ID: <1458137793-25826-5-git-send-email-christian.ehrhardt@canonical.com> References: <1458137793-25826-1-git-send-email-christian.ehrhardt@canonical.com> To: christian.ehrhardt@canonical.com, bruce.richardson@intel.com, dev@dpdk.org, olivier.matz@6wind.com Return-path: Received: from youngberry.canonical.com (youngberry.canonical.com [91.189.89.112]) by dpdk.org (Postfix) with ESMTP id 1CC16567F for ; Wed, 16 Mar 2016 15:16:46 +0100 (CET) In-Reply-To: <1458137793-25826-1-git-send-email-christian.ehrhardt@canonical.com> List-Id: patches and discussions about DPDK List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" There were further chances for a use after free by returning an already freed pointer in rte_lpm_create for v20 and v1604. Along that is also makes the RTE_LOG messages of the failed allocations unique. Signed-off-by: Christian Ehrhardt --- lib/librte_lpm/rte_lpm.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/librte_lpm/rte_lpm.c b/lib/librte_lpm/rte_lpm.c index 2cc87b6..d21c783 100644 --- a/lib/librte_lpm/rte_lpm.c +++ b/lib/librte_lpm/rte_lpm.c @@ -303,8 +303,9 @@ rte_lpm_create_v1604(const char *name, int socket_id, (size_t)rules_size, RTE_CACHE_LINE_SIZE, socket_id); if (lpm->rules_tbl == NULL) { - RTE_LOG(ERR, LPM, "LPM memory allocation failed\n"); + RTE_LOG(ERR, LPM, "LPM rules_tbl memory allocation failed\n"); rte_free(lpm); + lpm = NULL; rte_free(te); goto exit; } @@ -313,8 +314,9 @@ rte_lpm_create_v1604(const char *name, int socket_id, (size_t)tbl8s_size, RTE_CACHE_LINE_SIZE, socket_id); if (lpm->tbl8 == NULL) { - RTE_LOG(ERR, LPM, "LPM memory allocation failed\n"); + RTE_LOG(ERR, LPM, "LPM tbl8 memory allocation failed\n"); rte_free(lpm); + lpm = NULL; rte_free(te); goto exit; } -- 2.7.0