diff options
author | Benoît Ganne <bganne@cisco.com> | 2019-09-11 16:40:04 +0200 |
---|---|---|
committer | Andrew Yourtchenko <ayourtch@gmail.com> | 2019-09-30 15:23:02 +0000 |
commit | 003dd32489d768a8fc227da8b7218bc11126a592 (patch) | |
tree | 9f967eff19f0660cb18cb603ff16c20a1801245b | |
parent | fcb879c96c9c8f237a5d057a8b105f2c120672d5 (diff) |
hsa: fix memory management bugs
Fix use-after-free and non-null terminated string.
Type: fix
Change-Id: Ibba2a6cae68c612a34477aa813b3bf27a0c8fc1f
Signed-off-by: Benoît Ganne <bganne@cisco.com>
(cherry picked from commit 58519563acc0933771172941291b7d0de2ffeddc)
-rw-r--r-- | src/plugins/hs_apps/echo_client.c | 10 | ||||
-rw-r--r-- | src/plugins/hs_apps/sapi/vpp_echo.c | 4 |
2 files changed, 9 insertions, 5 deletions
diff --git a/src/plugins/hs_apps/echo_client.c b/src/plugins/hs_apps/echo_client.c index dc1384ce4b5..076fca22deb 100644 --- a/src/plugins/hs_apps/echo_client.c +++ b/src/plugins/hs_apps/echo_client.c @@ -370,6 +370,7 @@ quic_echo_clients_qsession_connected_callback (u32 app_index, u32 api_context, u8 thread_index = vlib_get_thread_index (); session_endpoint_cfg_t sep = SESSION_ENDPOINT_CFG_NULL; u32 stream_n; + session_handle_t handle; DBG ("QUIC Connection handle %d", session_handle (s)); @@ -377,7 +378,7 @@ quic_echo_clients_qsession_connected_callback (u32 app_index, u32 api_context, a->uri = (char *) ecm->connect_uri; if (parse_uri (a->uri, &sep)) return -1; - sep.parent_handle = session_handle (s); + sep.parent_handle = handle = session_handle (s); for (stream_n = 0; stream_n < ecm->quic_streams; stream_n++) { @@ -394,8 +395,11 @@ quic_echo_clients_qsession_connected_callback (u32 app_index, u32 api_context, } DBG ("QUIC stream %d connected", stream_n); } - vec_add1 (ecm->quic_session_index_by_thread[thread_index], - session_handle (s)); + /* + * 's' is no longer valid, its underlying pool could have been moved in + * vnet_connect() + */ + vec_add1 (ecm->quic_session_index_by_thread[thread_index], handle); vec_free (a); return 0; } diff --git a/src/plugins/hs_apps/sapi/vpp_echo.c b/src/plugins/hs_apps/sapi/vpp_echo.c index 18997599113..c72bf18f264 100644 --- a/src/plugins/hs_apps/sapi/vpp_echo.c +++ b/src/plugins/hs_apps/sapi/vpp_echo.c @@ -160,7 +160,7 @@ print_global_stats (echo_main_t * em) s = format (0, "%U:%U", echo_format_timing_event, em->timing.start_event, echo_format_timing_event, em->timing.end_event); - fformat (stdout, "Timing %s\n", s); + fformat (stdout, "Timing %v\n", s); fformat (stdout, "-------- TX --------\n"); fformat (stdout, "%lld bytes (%lld mbytes, %lld gbytes) in %.6f seconds\n", em->stats.tx_total, em->stats.tx_total / (1ULL << 20), @@ -220,8 +220,8 @@ echo_free_sessions (echo_main_t * em) s = pool_elt_at_index (em->sessions, *session_index); echo_session_handle_add_del (em, s->vpp_session_handle, SESSION_INVALID_INDEX); - pool_put (em->sessions, s); clib_memset (s, 0xfe, sizeof (*s)); + pool_put (em->sessions, s); } } |