[dpdk-dev] [PATCH] net/af_packet: fix fd use after free

Timmons C. Player timmons.player at spirent.com
Thu Jan 5 15:33:35 CET 2017


When using the same file descriptor for both rx and tx, the
eth_dev_stop function would close the same fd twice.   This
change prevents that from happening.

Signed-off-by: Timmons C. Player <timmons.player at spirent.com>
---
 drivers/net/af_packet/rte_eth_af_packet.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/drivers/net/af_packet/rte_eth_af_packet.c b/drivers/net/af_packet/rte_eth_af_packet.c
index 2951f86..c44b8b9 100644
--- a/drivers/net/af_packet/rte_eth_af_packet.c
+++ b/drivers/net/af_packet/rte_eth_af_packet.c
@@ -261,9 +261,16 @@ eth_dev_stop(struct rte_eth_dev *dev)
 		sockfd = internals->rx_queue[i].sockfd;
 		if (sockfd != -1)
 			close(sockfd);
-		sockfd = internals->tx_queue[i].sockfd;
-		if (sockfd != -1)
-			close(sockfd);
+
+		/* Prevent use after free in case tx fd == rx fd */
+		if (sockfd != internals->tx_queue[i].sockfd) {
+			sockfd = internals->tx_queue[i].sockfd;
+			if (sockfd != -1)
+				close(sockfd);
+		}
+
+		internals->rx_queue[i].sockfd = -1;
+		internals->tx_queue[i].sockfd = -1;
 	}
 
 	dev->data->dev_link.link_status = ETH_LINK_DOWN;
-- 
2.7.4



More information about the dev mailing list