[dpdk-dev] [PATCH] lpm6: fix use after free of lpm in rte_lpm6_create

[Stephen Hemminger]

On Fri,  4 Mar 2016 11:31:20 +0100
Christian Ehrhardt <christian.ehrhardt at canonical.com> wrote:

> In certain autotests lpm->max_rules turned out to be non initialized.
> That was caused by a failing allocation for lpm->rules_tbl in rte_lpm6_create.
> It then left the function via goto exit with lpm freed, but still a pointer
> value being set.
> 
> In case of an allocation failure it resets lpm to NULL now, to avoid the
> upper layers operate on that already freed memory.
> Along that is also makes the RTE_LOG message of the failed allocation unique.
> ---
>  lib/librte_lpm/rte_lpm6.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/lib/librte_lpm/rte_lpm6.c b/lib/librte_lpm/rte_lpm6.c
> index 6c2b293..48931cc 100644
> --- a/lib/librte_lpm/rte_lpm6.c
> +++ b/lib/librte_lpm/rte_lpm6.c
> @@ -206,8 +206,9 @@ rte_lpm6_create(const char *name, int socket_id,
>  			(size_t)rules_size, RTE_CACHE_LINE_SIZE, socket_id);
>  
>  	if (lpm->rules_tbl == NULL) {
> -		RTE_LOG(ERR, LPM, "LPM memory allocation failed\n");
> +		RTE_LOG(ERR, LPM, "LPM rules_tbl allocation failed\n");
>  		rte_free(lpm);
> +		lpm = NULL;
>  		rte_free(te);
>  		goto exit;
>  	}

Acked-by: Stephen Hemminger <stephen at networkplumber.org>