summaryrefslogtreecommitdiffstats
path: root/src/vnet/tcp/tcp_bt.c
diff options
context:
space:
mode:
authorFlorin Coras <fcoras@cisco.com>2020-04-22 22:07:43 +0000
committerFlorin Coras <fcoras@cisco.com>2020-04-22 22:07:43 +0000
commitc17ff6ec3b69ef228047bf346e0b524c48d2c96e (patch)
tree6a32795add98ff1a219bdf011ea78f94bedafaa3 /src/vnet/tcp/tcp_bt.c
parentecff1cb6dace2052a5c7f0e01318993309aa42e6 (diff)
tcp: avoid bt sample access after possible pool realloc
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I98f943c8862fa74fb576f9ec1fb9186289b1216b
Diffstat (limited to 'src/vnet/tcp/tcp_bt.c')
-rw-r--r--src/vnet/tcp/tcp_bt.c12
1 files changed, 6 insertions, 6 deletions
diff --git a/src/vnet/tcp/tcp_bt.c b/src/vnet/tcp/tcp_bt.c
index eaec147b836..9c255fa0dc9 100644
--- a/src/vnet/tcp/tcp_bt.c
+++ b/src/vnet/tcp/tcp_bt.c
@@ -340,6 +340,7 @@ tcp_bt_track_rxt (tcp_connection_t * tc, u32 start, u32 end)
tcp_bt_sample_t *bts, *next, *cur, *prev, *nbts;
u32 bts_index, cur_index, next_index, prev_index, max_seq;
u8 is_end = end == tc->snd_nxt;
+ tcp_bts_flags_t bts_flags;
/* Contiguous blocks retransmitted at the same time */
bts = bt_get_sample (bt, bt->last_ooo);
@@ -354,8 +355,10 @@ tcp_bt_track_rxt (tcp_connection_t * tc, u32 start, u32 end)
return;
}
- /* Find original tx sample */
+ /* Find original tx sample and cache flags in case the sample
+ * is freed or the pool moves */
bts = bt_lookup_seq (bt, start);
+ bts_flags = bts->flags;
ASSERT (bts != 0 && seq_geq (start, bts->min_seq));
@@ -366,12 +369,9 @@ tcp_bt_track_rxt (tcp_connection_t * tc, u32 start, u32 end)
/* Head overlap */
if (bts->min_seq == start)
{
- /* bts can be freed by bt_fix_overlapped() below */
- tcp_bts_flags_t bts_flags = bts->flags;
-
prev_index = bts->prev;
next = bt_fix_overlapped (bt, bts, end, is_end);
- /* bts is no longer valid from here */
+ /* bts might no longer be valid from here */
next_index = bt_sample_index (bt, next);
cur = tcp_bt_alloc_tx_sample (tc, start, end);
@@ -418,7 +418,7 @@ tcp_bt_track_rxt (tcp_connection_t * tc, u32 start, u32 end)
/* Have to split or tail overlap */
cur = tcp_bt_alloc_tx_sample (tc, start, end);
cur->flags |= TCP_BTS_IS_RXT;
- if (bts->flags & TCP_BTS_IS_RXT)
+ if (bts_flags & TCP_BTS_IS_RXT)
cur->flags |= TCP_BTS_IS_RXT_LOST;
cur->prev = bts_index;
cur_index = bt_sample_index (bt, cur);