summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBenoît Ganne <bganne@cisco.com>2019-09-30 10:55:33 +0200
committerNeale Ranns <nranns@cisco.com>2019-10-04 14:57:32 +0000
commit79c9d3650357fa675df2998e362e9881cff17a34 (patch)
treee01b0675020d181c9b62e364c11f8a02a32d1718
parent72c159e64d77c316a661e70854385def2353f6e1 (diff)
ip: fix use-after-free in IPv6 SLAAC expiration
Type: fix Change-Id: I46b166b3a10c4543eafa4422531dd3c725db45f1 Signed-off-by: Benoît Ganne <bganne@cisco.com>
-rw-r--r--src/vnet/ip/rd_cp.c14
1 files changed, 11 insertions, 3 deletions
diff --git a/src/vnet/ip/rd_cp.c b/src/vnet/ip/rd_cp.c
index a0894fa3d7c..2af24c018db 100644
--- a/src/vnet/ip/rd_cp.c
+++ b/src/vnet/ip/rd_cp.c
@@ -440,9 +440,15 @@ rd_cp_process (vlib_main_t * vm, vlib_node_runtime_t * rt, vlib_frame_t * f)
do
{
due_time = current_time + 1e9;
+ u32 index;
+ /*
+ * we do not use pool_foreach() to iterate over pool elements here
+ * as we are removing elements inside the loop body
+ */
/* *INDENT-OFF* */
- pool_foreach (slaac_address, rm->slaac_address_pool,
+ pool_foreach_index (index, rm->slaac_address_pool,
({
+ slaac_address = pool_elt_at_index(rm->slaac_address_pool, index);
if (slaac_address->due_time > current_time)
{
if (slaac_address->due_time < due_time)
@@ -450,13 +456,15 @@ rd_cp_process (vlib_main_t * vm, vlib_node_runtime_t * rt, vlib_frame_t * f)
}
else
{
+ u32 sw_if_index = slaac_address->sw_if_index;
remove_slaac_address (vm, slaac_address);
/* make sure ip6 stays enabled */
- ip6_enable (slaac_address->sw_if_index);
+ ip6_enable (sw_if_index);
}
}));
- pool_foreach (default_route, rm->default_route_pool,
+ pool_foreach_index (index, rm->default_route_pool,
({
+ default_route = pool_elt_at_index(rm->default_route_pool, index);
if (default_route->due_time > current_time)
{
if (default_route->due_time < due_time)