diff options
| author |   Ivan Kelly <ivan@midokura.com> | 2016-10-07 18:02:43 +0200 |
|---|---|---|
| committer |   Chris Luke <chris_luke@comcast.com> | 2016-10-10 16:23:31 +0000 |
| commit | bfe737a1b29afea2e10248b8c9fa800148fbd573 (patch) | |
| tree | 2bb706ed1d297cc36c1b00a14b4087b0c0fcf7be | |
| parent | 4c42e913c4f9723d27f6501f6e1b6a13b9c2f9f8 (diff) | |
Fix double free in af_packet api/cli
The api was allocating a vector for the name, passing it, then freeing
it, on create. The cli allocated, passed then forgot about it.
af_packet_create_if was storing a reference to the name, which in the
case of the api, meant it was referencing dead memory. On
af_packet_delete_if this reference was freed, so in the api case, there
was a double free.
Also, the cli for delete leaked the name.
Change-Id: I4d572bd2936eaf8ea7a0a8ff282e83ac2bf1b062
Signed-off-by: Ivan Kelly <ivan@midokura.com>
| -rw-r--r-- | vnet/vnet/devices/af_packet/af_packet.c | 8 | ||||
| -rw-r--r-- | vnet/vnet/devices/af_packet/cli.c | 2 |
2 files changed, 7 insertions, 3 deletions
diff --git a/vnet/vnet/devices/af_packet/af_packet.c b/vnet/vnet/devices/af_packet/af_packet.c index cec25fed035..91c3988b439 100644 --- a/vnet/vnet/devices/af_packet/af_packet.c +++ b/vnet/vnet/devices/af_packet/af_packet.c @@ -187,6 +187,7 @@ af_packet_create_if (vlib_main_t * vm, u8 * host_if_name, u8 * hw_addr_set, vnet_main_t *vnm = vnet_get_main (); uword *p; uword if_index; + u8 *host_if_name_dup = vec_dup (host_if_name); p = mhash_get (&apm->if_index_by_host_if_name, host_if_name); if (p) @@ -220,7 +221,7 @@ af_packet_create_if (vlib_main_t * vm, u8 * host_if_name, u8 * hw_addr_set, apif->tx_ring = ring + rx_req->tp_block_size * rx_req->tp_block_nr; apif->rx_req = rx_req; apif->tx_req = tx_req; - apif->host_if_name = host_if_name; + apif->host_if_name = host_if_name_dup; apif->per_interface_next_index = ~0; apif->next_tx_frame = 0; apif->next_rx_frame = 0; @@ -268,13 +269,14 @@ af_packet_create_if (vlib_main_t * vm, u8 * host_if_name, u8 * hw_addr_set, vnet_hw_interface_set_flags (vnm, apif->hw_if_index, VNET_HW_INTERFACE_FLAG_LINK_UP); - mhash_set_mem (&apm->if_index_by_host_if_name, host_if_name, &if_index, 0); + mhash_set_mem (&apm->if_index_by_host_if_name, host_if_name_dup, &if_index, + 0); if (sw_if_index) *sw_if_index = apif->sw_if_index; return 0; error: - vec_free (host_if_name); + vec_free (host_if_name_dup); vec_free (rx_req); vec_free (tx_req); return ret; diff --git a/vnet/vnet/devices/af_packet/cli.c b/vnet/vnet/devices/af_packet/cli.c index 87ec5182c74..2cbd415289e 100644 --- a/vnet/vnet/devices/af_packet/cli.c +++ b/vnet/vnet/devices/af_packet/cli.c @@ -65,6 +65,7 @@ af_packet_create_command_fn (vlib_main_t * vm, unformat_input_t * input, return clib_error_return (0, "missing host interface name"); r = af_packet_create_if (vm, host_if_name, hw_addr_ptr, &sw_if_index); + vec_free (host_if_name); if (r == VNET_API_ERROR_SYSCALL_ERROR_1) return clib_error_return (0, "%s (errno %d)", strerror (errno), errno); @@ -113,6 +114,7 @@ af_packet_delete_command_fn (vlib_main_t * vm, unformat_input_t * input, return clib_error_return (0, "missing host interface name"); af_packet_delete_if (vm, host_if_name); + vec_free (host_if_name); return 0; } |