From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Timmons C. Player" Subject: [PATCH] net/af_packet: fix fd use after free Date: Thu, 5 Jan 2017 09:33:35 -0500 Message-ID: <1483626815-476-1-git-send-email-timmons.player@spirent.com> Cc: dev@dpdk.org, "Timmons C. Player" To: linville@tuxdriver.com Return-path: Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net [217.70.183.197]) by dpdk.org (Postfix) with ESMTP id 2D0685A44 for ; Thu, 5 Jan 2017 15:33:50 +0100 (CET) List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" When using the same file descriptor for both rx and tx, the eth_dev_stop function would close the same fd twice. This change prevents that from happening. Signed-off-by: Timmons C. Player --- drivers/net/af_packet/rte_eth_af_packet.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/drivers/net/af_packet/rte_eth_af_packet.c b/drivers/net/af_packet/rte_eth_af_packet.c index 2951f86..c44b8b9 100644 --- a/drivers/net/af_packet/rte_eth_af_packet.c +++ b/drivers/net/af_packet/rte_eth_af_packet.c @@ -261,9 +261,16 @@ eth_dev_stop(struct rte_eth_dev *dev) sockfd = internals->rx_queue[i].sockfd; if (sockfd != -1) close(sockfd); - sockfd = internals->tx_queue[i].sockfd; - if (sockfd != -1) - close(sockfd); + + /* Prevent use after free in case tx fd == rx fd */ + if (sockfd != internals->tx_queue[i].sockfd) { + sockfd = internals->tx_queue[i].sockfd; + if (sockfd != -1) + close(sockfd); + } + + internals->rx_queue[i].sockfd = -1; + internals->tx_queue[i].sockfd = -1; } dev->data->dev_link.link_status = ETH_LINK_DOWN; -- 2.7.4