ip: fix use-after-free in IPv6 SLAAC expiration

Type: fix

Change-Id: I46b166b3a10c4543eafa4422531dd3c725db45f1
Signed-off-by: Benoît Ganne <bganne@cisco.com>
(cherry picked from commit 79c9d3650357fa675df2998e362e9881cff17a34)

1 files changed, 11 insertions, 3 deletions

diff --git a/src/vnet/ip/rd_cp.c b/src/vnet/ip/rd_cp.c
index a0894fa3d7c..2af24c018db 100644
--- a/src/vnet/ip/rd_cp.c
+++ b/src/vnet/ip/rd_cp.c
@@ -440,9 +440,15 @@ rd_cp_process (vlib_main_t * vm, vlib_node_runtime_t * rt, vlib_frame_t * f)
       do
 	{
 	  due_time = current_time + 1e9;
+	  u32 index;
+	  /*
+	   * we do not use pool_foreach() to iterate over pool elements here
+	   * as we are removing elements inside the loop body
+	   */
           /* *INDENT-OFF* */
-          pool_foreach (slaac_address, rm->slaac_address_pool,
+          pool_foreach_index (index, rm->slaac_address_pool,
           ({
+            slaac_address = pool_elt_at_index(rm->slaac_address_pool, index);
             if (slaac_address->due_time > current_time)
               {
                 if (slaac_address->due_time < due_time)
@@ -450,13 +456,15 @@ rd_cp_process (vlib_main_t * vm, vlib_node_runtime_t * rt, vlib_frame_t * f)
               }
             else
               {
+                u32 sw_if_index = slaac_address->sw_if_index;
                 remove_slaac_address (vm, slaac_address);
                 /* make sure ip6 stays enabled */
-                ip6_enable (slaac_address->sw_if_index);
+                ip6_enable (sw_if_index);
               }
           }));
-          pool_foreach (default_route, rm->default_route_pool,
+          pool_foreach_index (index, rm->default_route_pool,
           ({
+            default_route = pool_elt_at_index(rm->default_route_pool, index);
             if (default_route->due_time > current_time)
               {
                 if (default_route->due_time < due_time)