diff options
author | Benoît Ganne <bganne@cisco.com> | 2019-09-30 10:55:33 +0200 |
---|---|---|
committer | Neale Ranns <nranns@cisco.com> | 2019-10-04 14:57:32 +0000 |
commit | 79c9d3650357fa675df2998e362e9881cff17a34 (patch) | |
tree | e01b0675020d181c9b62e364c11f8a02a32d1718 | |
parent | 72c159e64d77c316a661e70854385def2353f6e1 (diff) |
ip: fix use-after-free in IPv6 SLAAC expiration
Type: fix
Change-Id: I46b166b3a10c4543eafa4422531dd3c725db45f1
Signed-off-by: Benoît Ganne <bganne@cisco.com>
-rw-r--r-- | src/vnet/ip/rd_cp.c | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/src/vnet/ip/rd_cp.c b/src/vnet/ip/rd_cp.c index a0894fa3d7c..2af24c018db 100644 --- a/src/vnet/ip/rd_cp.c +++ b/src/vnet/ip/rd_cp.c @@ -440,9 +440,15 @@ rd_cp_process (vlib_main_t * vm, vlib_node_runtime_t * rt, vlib_frame_t * f) do { due_time = current_time + 1e9; + u32 index; + /* + * we do not use pool_foreach() to iterate over pool elements here + * as we are removing elements inside the loop body + */ /* *INDENT-OFF* */ - pool_foreach (slaac_address, rm->slaac_address_pool, + pool_foreach_index (index, rm->slaac_address_pool, ({ + slaac_address = pool_elt_at_index(rm->slaac_address_pool, index); if (slaac_address->due_time > current_time) { if (slaac_address->due_time < due_time) @@ -450,13 +456,15 @@ rd_cp_process (vlib_main_t * vm, vlib_node_runtime_t * rt, vlib_frame_t * f) } else { + u32 sw_if_index = slaac_address->sw_if_index; remove_slaac_address (vm, slaac_address); /* make sure ip6 stays enabled */ - ip6_enable (slaac_address->sw_if_index); + ip6_enable (sw_if_index); } })); - pool_foreach (default_route, rm->default_route_pool, + pool_foreach_index (index, rm->default_route_pool, ({ + default_route = pool_elt_at_index(rm->default_route_pool, index); if (default_route->due_time > current_time) { if (default_route->due_time < due_time) |