aboutsummaryrefslogtreecommitdiffstats
path: root/src/vnet/ip
diff options
context:
space:
mode:
authorBenoît Ganne <bganne@cisco.com>2019-09-30 10:55:33 +0200
committerAndrew Yourtchenko <ayourtch@gmail.com>2019-10-15 10:45:12 +0000
commitb022d3195a5a3f30c6a5b48af9bf00a0fcdcf976 (patch)
tree40bddd060202f2c99ad63f3f8aa66ff957f59715 /src/vnet/ip
parent7efa9c53420379e4b848762796630facf6363471 (diff)
ip: fix use-after-free in IPv6 SLAAC expiration
Type: fix Change-Id: I46b166b3a10c4543eafa4422531dd3c725db45f1 Signed-off-by: Benoît Ganne <bganne@cisco.com> (cherry picked from commit 79c9d3650357fa675df2998e362e9881cff17a34)
Diffstat (limited to 'src/vnet/ip')
-rw-r--r--src/vnet/ip/rd_cp.c14
1 files changed, 11 insertions, 3 deletions
diff --git a/src/vnet/ip/rd_cp.c b/src/vnet/ip/rd_cp.c
index a0894fa3d7c..2af24c018db 100644
--- a/src/vnet/ip/rd_cp.c
+++ b/src/vnet/ip/rd_cp.c
@@ -440,9 +440,15 @@ rd_cp_process (vlib_main_t * vm, vlib_node_runtime_t * rt, vlib_frame_t * f)
do
{
due_time = current_time + 1e9;
+ u32 index;
+ /*
+ * we do not use pool_foreach() to iterate over pool elements here
+ * as we are removing elements inside the loop body
+ */
/* *INDENT-OFF* */
- pool_foreach (slaac_address, rm->slaac_address_pool,
+ pool_foreach_index (index, rm->slaac_address_pool,
({
+ slaac_address = pool_elt_at_index(rm->slaac_address_pool, index);
if (slaac_address->due_time > current_time)
{
if (slaac_address->due_time < due_time)
@@ -450,13 +456,15 @@ rd_cp_process (vlib_main_t * vm, vlib_node_runtime_t * rt, vlib_frame_t * f)
}
else
{
+ u32 sw_if_index = slaac_address->sw_if_index;
remove_slaac_address (vm, slaac_address);
/* make sure ip6 stays enabled */
- ip6_enable (slaac_address->sw_if_index);
+ ip6_enable (sw_if_index);
}
}));
- pool_foreach (default_route, rm->default_route_pool,
+ pool_foreach_index (index, rm->default_route_pool,
({
+ default_route = pool_elt_at_index(rm->default_route_pool, index);
if (default_route->due_time > current_time)
{
if (default_route->due_time < due_time)