ipf: bail out when ipf state is COMPLETED

it is easy to crash ovs when a packet with same id hits a list that already reassembled completedly but have not been sent out yet, and this packet is not duplicate with this hit ipf list due to bigger offset 1 0x00007f9fef0ae2d9 in __GI_abort () at abort.c:89 2 0x0000000000464042 in ipf_list_state_transition at lib/ipf.c:545 Fixes: 4ea9669 ("Userspace datapath: Add fragmentation handling.") Co-authored-by: Wang Li <[email protected]> Signed-off-by: Wang Li <[email protected]> Signed-off-by: Li RongQing <[email protected]> Signed-off-by: Ben Pfaff <[email protected]>
qlw · Nov 22, 2019 · 0c3057d · 0c3057d
1 parent 9bfb280
commit 0c3057d
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/lib/ipf.c b/lib/ipf.c
@@ -899,7 +899,8 @@ ipf_handle_frag(struct ipf *ipf, struct dp_packet *pkt, ovs_be16 dl_type,
                       MIN(max_frag_list_size, IPF_FRAG_LIST_MIN_INCREMENT));
         hmap_insert(&ipf->frag_lists, &ipf_list->node, hash);
         ipf_expiry_list_add(&ipf->frag_exp_list, ipf_list, now);
-    } else if (ipf_list->state == IPF_LIST_STATE_REASS_FAIL) {
+    } else if (ipf_list->state == IPF_LIST_STATE_REASS_FAIL ||
+               ipf_list->state == IPF_LIST_STATE_COMPLETED) {
         /* Bail out as early as possible. */
         return false;
     } else if (ipf_list->last_inuse_idx + 1 >= ipf_list->size) {