[dpdk-dev] vhost: use after free

Message ID	1476893390-4192-1-git-send-email-3chas3@gmail.com (mailing list archive)
State	Superseded, archived
Headers	From: Chas Williams <3chas3@gmail.com> To: dev@dpdk.org Cc: Chas Williams <3chas3@gmail.com> Date: Wed, 19 Oct 2016 12:09:50 -0400 Message-Id: <1476893390-4192-1-git-send-email-3chas3@gmail.com> Subject: [dpdk-dev] [PATCH] vhost: use after free Precedence: list Errors-To: dev-bounces@dpdk.org Sender: "dev" <dev-bounces@dpdk.org>

Message ID

1476893390-4192-1-git-send-email-3chas3@gmail.com (mailing list archive)

State

Superseded, archived

Headers

From: Chas Williams <3chas3@gmail.com>
To: dev@dpdk.org
Cc: Chas Williams <3chas3@gmail.com>
Date: Wed, 19 Oct 2016 12:09:50 -0400
Message-Id: <1476893390-4192-1-git-send-email-3chas3@gmail.com>
Subject: [dpdk-dev] [PATCH] vhost: use after free
Precedence: list
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

Commit Message

Chas Williams Oct. 19, 2016, 4:09 p.m. UTC

  Don't dereference freed memory.

Fixes: a277c7159876 ("vhost: refactor code structure")

Signed-off-by: Chas Williams <3chas3@gmail.com>
---
 lib/librte_vhost/socket.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

John McNamara Oct. 19, 2016, 8:21 p.m. UTC | #1

> -----Original Message-----
> From: dev [mailto:dev-bounces@dpdk.org] On Behalf Of Chas Williams
> Sent: Wednesday, October 19, 2016 5:10 PM
> To: dev@dpdk.org
> Cc: Chas Williams <3chas3@gmail.com>
> Subject: [dpdk-dev] [PATCH] vhost: use after free
> 
> Don't dereference freed memory.
> 
> Fixes: a277c7159876 ("vhost: refactor code structure")

Hi Chas,

Thanks for that. 

Just to note that there was another patch submitted for this a few hours ago by Yuanhan (CCed):

    http://dpdk.org/dev/patchwork/patch/16674/

John

diff mbox

Patch

diff --git a/lib/librte_vhost/socket.c b/lib/librte_vhost/socket.c
index 967cb65..aaa9c27 100644
--- a/lib/librte_vhost/socket.c
+++ b/lib/librte_vhost/socket.c
@@ -250,8 +250,8 @@  vhost_user_read_cb(int connfd, void *dat, int *remove)
 		vsocket->connfd = -1;
 		close(connfd);
 		*remove = 1;
-		free(conn);
 		vhost_destroy_device(conn->vid);
+		free(conn);
 
 		if (vsocket->reconnect)
 			vhost_user_create_client(vsocket);