[dpdk-dev] net/af_packet: fix fd use after free
Checks
Commit Message
When using the same file descriptor for both rx and tx, the
eth_dev_stop function would close the same fd twice. This
change prevents that from happening.
Signed-off-by: Timmons C. Player <timmons.player@spirent.com>
---
drivers/net/af_packet/rte_eth_af_packet.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
Comments
On 1/5/2017 2:33 PM, Timmons C. Player wrote:
> When using the same file descriptor for both rx and tx, the
> eth_dev_stop function would close the same fd twice. This
> change prevents that from happening.
>
> Signed-off-by: Timmons C. Player <timmons.player@spirent.com>
Fixes: 364e08f2bbc0 ("af_packet: add PMD for AF_PACKET-based virtual
devices")
CC:stable@dpdk.org
Acked-by: Ferruh Yigit <ferruh.yigit@intel.com>
On 1/9/2017 11:55 AM, Ferruh Yigit wrote:
> On 1/5/2017 2:33 PM, Timmons C. Player wrote:
>> When using the same file descriptor for both rx and tx, the
>> eth_dev_stop function would close the same fd twice. This
>> change prevents that from happening.
>>
>> Signed-off-by: Timmons C. Player <timmons.player@spirent.com>
>
> Fixes: 364e08f2bbc0 ("af_packet: add PMD for AF_PACKET-based virtual
> devices")
>
> CC:stable@dpdk.org
>
> Acked-by: Ferruh Yigit <ferruh.yigit@intel.com>
>
Applied to dpdk-next-net/master, thanks.
@@ -261,9 +261,16 @@ eth_dev_stop(struct rte_eth_dev *dev)
sockfd = internals->rx_queue[i].sockfd;
if (sockfd != -1)
close(sockfd);
- sockfd = internals->tx_queue[i].sockfd;
- if (sockfd != -1)
- close(sockfd);
+
+ /* Prevent use after free in case tx fd == rx fd */
+ if (sockfd != internals->tx_queue[i].sockfd) {
+ sockfd = internals->tx_queue[i].sockfd;
+ if (sockfd != -1)
+ close(sockfd);
+ }
+
+ internals->rx_queue[i].sockfd = -1;
+ internals->tx_queue[i].sockfd = -1;
}
dev->data->dev_link.link_status = ETH_LINK_DOWN;