diff options
| author |   Benoît Ganne <bganne@cisco.com> | 2019-07-18 18:38:42 +0200 |
|---|---|---|
| committer |   Florin Coras <florin.coras@gmail.com> | 2019-10-01 21:57:09 +0000 |
| commit | d4aeb84c3f066b755b723163da292eab95bd1ef9 (patch) | |
| tree | 0be8fb435d76665377cb1248271c8df78d309b10 | |
| parent | b5a2f7056967630c2834b0b4bf03520d96806c3e (diff) | |
session: fix use-after-free
Make sure to reinitialize data before free-ing it.
Type: fix
Change-Id: I45727c456d0345204d4825ecdd9690c5ebeb5e94
Signed-off-by: Benoît Ganne <bganne@cisco.com>
| -rw-r--r-- | src/plugins/sctp/sctp.h | 4 | ||||
| -rw-r--r-- | src/vnet/session/application.c | 2 | ||||
| -rw-r--r-- | src/vnet/session/application_worker.c | 2 | ||||
| -rw-r--r-- | src/vnet/tcp/tcp.c | 2 | ||||
| -rw-r--r-- | src/vnet/udp/udp.c | 3 |
5 files changed, 7 insertions, 6 deletions
diff --git a/src/plugins/sctp/sctp.h b/src/plugins/sctp/sctp.h index a99b01c1c0a..aa2409ecce8 100644 --- a/src/plugins/sctp/sctp.h +++ b/src/plugins/sctp/sctp.h @@ -607,11 +607,11 @@ always_inline void sctp_half_open_connection_del (sctp_connection_t * tc) { sctp_main_t *sctp_main = vnet_get_sctp_main (); + u32 index = tc->sub_conn[SCTP_PRIMARY_PATH_IDX].c_c_index; clib_spinlock_lock_if_init (&sctp_main->half_open_lock); - pool_put_index (sctp_main->half_open_connections, - tc->sub_conn[SCTP_PRIMARY_PATH_IDX].c_c_index); if (CLIB_DEBUG) clib_memset (tc, 0xFA, sizeof (*tc)); + pool_put_index (sctp_main->half_open_connections, index); clib_spinlock_unlock_if_init (&sctp_main->half_open_lock); } diff --git a/src/vnet/session/application.c b/src/vnet/session/application.c index d4f3d61ab61..583c4b055ee 100644 --- a/src/vnet/session/application.c +++ b/src/vnet/session/application.c @@ -52,9 +52,9 @@ static void app_listener_free (application_t * app, app_listener_t * app_listener) { clib_bitmap_free (app_listener->workers); - pool_put (app->listeners, app_listener); if (CLIB_DEBUG) clib_memset (app_listener, 0xfa, sizeof (*app_listener)); + pool_put (app->listeners, app_listener); } session_handle_t diff --git a/src/vnet/session/application_worker.c b/src/vnet/session/application_worker.c index 30edf3c32cc..c45679735b9 100644 --- a/src/vnet/session/application_worker.c +++ b/src/vnet/session/application_worker.c @@ -109,9 +109,9 @@ app_worker_free (app_worker_t * app_wrk) segment_manager_free (sm); } - pool_put (app_workers, app_wrk); if (CLIB_DEBUG) clib_memset (app_wrk, 0xfe, sizeof (*app_wrk)); + pool_put (app_workers, app_wrk); } application_t * diff --git a/src/vnet/tcp/tcp.c b/src/vnet/tcp/tcp.c index 75a45a448bd..8467ea4fd67 100644 --- a/src/vnet/tcp/tcp.c +++ b/src/vnet/tcp/tcp.c @@ -192,9 +192,9 @@ tcp_half_open_connection_del (tcp_connection_t * tc) { tcp_main_t *tm = vnet_get_tcp_main (); clib_spinlock_lock_if_init (&tm->half_open_lock); - pool_put_index (tm->half_open_connections, tc->c_c_index); if (CLIB_DEBUG) clib_memset (tc, 0xFA, sizeof (*tc)); + pool_put (tm->half_open_connections, tc); clib_spinlock_unlock_if_init (&tm->half_open_lock); } diff --git a/src/vnet/udp/udp.c b/src/vnet/udp/udp.c index 949c6356d33..fbd9e980181 100644 --- a/src/vnet/udp/udp.c +++ b/src/vnet/udp/udp.c @@ -58,9 +58,10 @@ udp_connection_alloc (u32 thread_index) void udp_connection_free (udp_connection_t * uc) { - pool_put (udp_main.connections[uc->c_thread_index], uc); + u32 thread_index = uc->c_thread_index; if (CLIB_DEBUG) clib_memset (uc, 0xFA, sizeof (*uc)); + pool_put (udp_main.connections[thread_index], uc); } void |