From mboxrd@z Thu Jan  1 00:00:00 1970
From: Stephen Hemminger <stephen@networkplumber.org>
Subject: Re: [PATCH] lpm6: fix use after free of lpm in
 rte_lpm6_create
Date: Fri, 4 Mar 2016 14:42:11 -0800
Message-ID: <20160304144211.7d8512c9@xeon-e3>
References: <1457087480-11216-1-git-send-email-christian.ehrhardt@canonical.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Cc: dev@dpdk.org
To: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Return-path: <dev-bounces@dpdk.org>
Received: from mail-pa0-f53.google.com (mail-pa0-f53.google.com
 [209.85.220.53]) by dpdk.org (Postfix) with ESMTP id 1A5DD2BAB
 for <dev@dpdk.org>; Fri,  4 Mar 2016 23:41:59 +0100 (CET)
Received: by mail-pa0-f53.google.com with SMTP id fi3so39916776pac.3
 for <dev@dpdk.org>; Fri, 04 Mar 2016 14:41:59 -0800 (PST)
In-Reply-To: <1457087480-11216-1-git-send-email-christian.ehrhardt@canonical.com>
List-Id: patches and discussions about DPDK <dev.dpdk.org>
List-Unsubscribe: <http://dpdk.org/ml/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <http://dpdk.org/ml/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

On Fri,  4 Mar 2016 11:31:20 +0100
Christian Ehrhardt <christian.ehrhardt@canonical.com> wrote:

> In certain autotests lpm->max_rules turned out to be non initialized.
> That was caused by a failing allocation for lpm->rules_tbl in rte_lpm6_create.
> It then left the function via goto exit with lpm freed, but still a pointer
> value being set.
> 
> In case of an allocation failure it resets lpm to NULL now, to avoid the
> upper layers operate on that already freed memory.
> Along that is also makes the RTE_LOG message of the failed allocation unique.
> ---
>  lib/librte_lpm/rte_lpm6.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/lib/librte_lpm/rte_lpm6.c b/lib/librte_lpm/rte_lpm6.c
> index 6c2b293..48931cc 100644
> --- a/lib/librte_lpm/rte_lpm6.c
> +++ b/lib/librte_lpm/rte_lpm6.c
> @@ -206,8 +206,9 @@ rte_lpm6_create(const char *name, int socket_id,
>  			(size_t)rules_size, RTE_CACHE_LINE_SIZE, socket_id);
>  
>  	if (lpm->rules_tbl == NULL) {
> -		RTE_LOG(ERR, LPM, "LPM memory allocation failed\n");
> +		RTE_LOG(ERR, LPM, "LPM rules_tbl allocation failed\n");
>  		rte_free(lpm);
> +		lpm = NULL;
>  		rte_free(te);
>  		goto exit;
>  	}

Acked-by: Stephen Hemminger <stephen@networkplumber.org>