aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBenoît Ganne <bganne@cisco.com>2019-09-11 16:40:04 +0200
committerDave Wallace <dwallacelf@gmail.com>2019-09-12 14:18:14 +0000
commit58519563acc0933771172941291b7d0de2ffeddc (patch)
treebe3730ce6a9319c04576078c86d11d47849c4ac8
parent6d6456ab421ee30f14aded964bad2d3ba55bcf20 (diff)
hsa: fix memory management bugs
Fix use-after-free and non-null terminated string. Type: fix Change-Id: Ibba2a6cae68c612a34477aa813b3bf27a0c8fc1f Signed-off-by: Benoît Ganne <bganne@cisco.com>
-rw-r--r--src/plugins/hs_apps/echo_client.c10
-rw-r--r--src/plugins/hs_apps/sapi/vpp_echo.c4
2 files changed, 9 insertions, 5 deletions
diff --git a/src/plugins/hs_apps/echo_client.c b/src/plugins/hs_apps/echo_client.c
index dc1384ce4b5..076fca22deb 100644
--- a/src/plugins/hs_apps/echo_client.c
+++ b/src/plugins/hs_apps/echo_client.c
@@ -370,6 +370,7 @@ quic_echo_clients_qsession_connected_callback (u32 app_index, u32 api_context,
u8 thread_index = vlib_get_thread_index ();
session_endpoint_cfg_t sep = SESSION_ENDPOINT_CFG_NULL;
u32 stream_n;
+ session_handle_t handle;
DBG ("QUIC Connection handle %d", session_handle (s));
@@ -377,7 +378,7 @@ quic_echo_clients_qsession_connected_callback (u32 app_index, u32 api_context,
a->uri = (char *) ecm->connect_uri;
if (parse_uri (a->uri, &sep))
return -1;
- sep.parent_handle = session_handle (s);
+ sep.parent_handle = handle = session_handle (s);
for (stream_n = 0; stream_n < ecm->quic_streams; stream_n++)
{
@@ -394,8 +395,11 @@ quic_echo_clients_qsession_connected_callback (u32 app_index, u32 api_context,
}
DBG ("QUIC stream %d connected", stream_n);
}
- vec_add1 (ecm->quic_session_index_by_thread[thread_index],
- session_handle (s));
+ /*
+ * 's' is no longer valid, its underlying pool could have been moved in
+ * vnet_connect()
+ */
+ vec_add1 (ecm->quic_session_index_by_thread[thread_index], handle);
vec_free (a);
return 0;
}
diff --git a/src/plugins/hs_apps/sapi/vpp_echo.c b/src/plugins/hs_apps/sapi/vpp_echo.c
index 18997599113..c72bf18f264 100644
--- a/src/plugins/hs_apps/sapi/vpp_echo.c
+++ b/src/plugins/hs_apps/sapi/vpp_echo.c
@@ -160,7 +160,7 @@ print_global_stats (echo_main_t * em)
s = format (0, "%U:%U",
echo_format_timing_event, em->timing.start_event,
echo_format_timing_event, em->timing.end_event);
- fformat (stdout, "Timing %s\n", s);
+ fformat (stdout, "Timing %v\n", s);
fformat (stdout, "-------- TX --------\n");
fformat (stdout, "%lld bytes (%lld mbytes, %lld gbytes) in %.6f seconds\n",
em->stats.tx_total, em->stats.tx_total / (1ULL << 20),
@@ -220,8 +220,8 @@ echo_free_sessions (echo_main_t * em)
s = pool_elt_at_index (em->sessions, *session_index);
echo_session_handle_add_del (em, s->vpp_session_handle,
SESSION_INVALID_INDEX);
- pool_put (em->sessions, s);
clib_memset (s, 0xfe, sizeof (*s));
+ pool_put (em->sessions, s);
}
}