summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBenoît Ganne <bganne@cisco.com>2020-04-22 19:15:49 +0200
committerAndrew Yourtchenko <ayourtch@gmail.com>2020-08-13 17:20:47 +0000
commit2c801f7ffb7475e3dec11ef6aef28d0cb1142561 (patch)
treeae4ccf1736393a217c897ad34ca45338e7be0342
parent367d6d86b61547bd71fdfed547f82734ec4d1bc5 (diff)
tcp: fix use-after-free
bts can be freed by the call to bt_fix_overlapped(). Save flags for later use. Type: fix Change-Id: If8b48c96ce39e38f2ed7f4db2815122523eb2e05 Signed-off-by: Benoît Ganne <bganne@cisco.com> (cherry picked from commit a04adbf5368f9ec907508ff36d42fbd72d287120)
-rw-r--r--src/vnet/tcp/tcp_bt.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/src/vnet/tcp/tcp_bt.c b/src/vnet/tcp/tcp_bt.c
index b6649444eb5..13022955cfe 100644
--- a/src/vnet/tcp/tcp_bt.c
+++ b/src/vnet/tcp/tcp_bt.c
@@ -362,13 +362,17 @@ tcp_bt_track_rxt (tcp_connection_t * tc, u32 start, u32 end)
/* Head overlap */
if (bts->min_seq == start)
{
+ /* bts can be freed by bt_fix_overlapped() below */
+ tcp_bts_flags_t bts_flags = bts->flags;
+
prev_index = bts->prev;
next = bt_fix_overlapped (bt, bts, end, is_end);
+ /* bts is no longer valid from here */
next_index = bt_sample_index (bt, next);
cur = tcp_bt_alloc_tx_sample (tc, start, end);
cur->flags |= TCP_BTS_IS_RXT;
- if (bts->flags & TCP_BTS_IS_RXT)
+ if (bts_flags & TCP_BTS_IS_RXT)
cur->flags |= TCP_BTS_IS_RXT_LOST;
cur->next = next_index;
cur->prev = prev_index;