nat: set fib index for bypass session

Bihash key already contains rx_fib_index for lookup
but fib value for session itself is set to 0.

In the result bihash is allocated with key with fib index
set, but free function is looking for key with fib index set
to zero. It leads to use-after-free because session itself is
removed from pool but bihash is not because of key mismatch.

Type: fix

Signed-off-by: Vladimir Isaev <visaev@netgate.com>
Change-Id: I8ac5a41b0a5a32b1baab9e9d757141d5b24b7798

2 files changed, 2 insertions, 1 deletions

diff --git a/src/plugins/nat/nat.c b/src/plugins/nat/nat.c
index a7a8842996e..17d1b8ff672 100644
--- a/src/plugins/nat/nat.c
+++ b/src/plugins/nat/nat.c
@@ -213,6 +213,7 @@ nat_free_session_data (snat_main_t * sm, snat_session_t * s, u32 thread_index,
 	  l_addr = &s->in2out.addr;
 	  r_addr = &s->ext_host_addr;
 	  proto = nat_proto_to_ip_proto (s->nat_proto);
+	  fib_index = s->in2out.fib_index;
 	  init_ed_k (&ed_kv, *l_addr, l_port, *r_addr, r_port, fib_index,
 		     proto);
 	}
diff --git a/src/plugins/nat/out2in_ed.c b/src/plugins/nat/out2in_ed.c
index de3595b4a33..15cf48067d7 100644
--- a/src/plugins/nat/out2in_ed.c
+++ b/src/plugins/nat/out2in_ed.c
@@ -481,7 +481,7 @@ create_bypass_for_fwd (snat_main_t * sm, vlib_buffer_t * b, ip4_header_t * ip,
 	  s->flags |= SNAT_SESSION_FLAG_UNKNOWN_PROTO;
 	  s->out2in.port = ip->protocol;
 	}
-      s->out2in.fib_index = 0;
+      s->out2in.fib_index = rx_fib_index;
       s->in2out.addr = s->out2in.addr;
       s->in2out.port = s->out2in.port;
       s->in2out.fib_index = s->out2in.fib_index;