ip: reassembly: fix use-after-free

[vpp.git] / src / vnet / ip / reass / ip4_full_reass.c

diff --git a/src/vnet/ip/reass/ip4_full_reass.c b/src/vnet/ip/reass/ip4_full_reass.c
index 303f233..f6c0546 100644 (file)
--- a/src/vnet/ip/reass/ip4_full_reass.c
+++ b/src/vnet/ip/reass/ip4_full_reass.c
@@ -1224,13 +1224,17 @@ ip4_full_reass_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 
 
        packet_enqueue:
-         b0->error = node->errors[error0];
 
          if (bi0 != ~0)
            {
              to_next[0] = bi0;
              to_next += 1;
              n_left_to_next -= 1;
+
+             /* bi0 might have been updated by reass_finalize, reload */
+             b0 = vlib_get_buffer (vm, bi0);
+             b0->error = node->errors[error0];
+
              if (next0 == IP4_FULL_REASS_NEXT_HANDOFF)
                {
                  if (PREDICT_FALSE (b0->flags & VLIB_BUFFER_IS_TRACED))
@@ -1243,7 +1247,6 @@ ip4_full_reass_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
                }
              else if (is_feature && IP4_ERROR_NONE == error0)
                {
-                 b0 = vlib_get_buffer (vm, bi0);
                  vnet_feature_next (&next0, b0);
                }
              vlib_validate_buffer_enqueue_x1 (vm, node, next_index,