aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBenoît Ganne <bganne@cisco.com>2019-09-11 16:41:49 +0200
committerAndrew Yourtchenko <ayourtch@gmail.com>2019-09-30 15:22:43 +0000
commitfcb879c96c9c8f237a5d057a8b105f2c120672d5 (patch)
tree71cea26b8af2d9c2137399b48c9ba665c73589a5
parentc811c43606014d6034e704036415d6f254a4a0bd (diff)
quic: fix use-after-free
Type: fix Change-Id: I5e5e37684e336ca992dae8ea1d39b1fb103802b1 Signed-off-by: Benoît Ganne <bganne@cisco.com> (cherry picked from commit 6d6456ab421ee30f14aded964bad2d3ba55bcf20)
-rw-r--r--src/plugins/quic/quic.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/src/plugins/quic/quic.c b/src/plugins/quic/quic.c
index 4a465fcbe30..97f03e52f5b 100644
--- a/src/plugins/quic/quic.c
+++ b/src/plugins/quic/quic.c
@@ -1404,6 +1404,11 @@ quic_on_client_connected (quic_ctx_t * ctx)
/* If the app opens a stream in its callback it may invalidate ctx */
ctx = quic_ctx_get (ctx_id, thread_index);
+ /*
+ * app_worker_connect_notify() might have reallocated pool, reload
+ * quic_session pointer
+ */
+ quic_session = session_get (ctx->c_s_index, thread_index);
quic_session->session_state = SESSION_STATE_LISTENING;
return 0;
@@ -1997,10 +2002,10 @@ quic_process_one_rx_packet (u64 udp_session_handle,
{
/* Right ctx found, create conn & remove from pool */
quic_create_connection(*ctx_index_ptr, sa, salen, packet_ctx->packet);
- pool_put (opening_ctx_pool, ctx_index_ptr);
*max_packet = packet_n + 1;
packet_ctx->thread_index = thread_index;
packet_ctx->ctx_index = *ctx_index_ptr;
+ pool_put (opening_ctx_pool, ctx_index_ptr);
goto updateOffset;
}
}));