diff options
author | Benoît Ganne <bganne@cisco.com> | 2019-07-08 14:39:02 +0200 |
---|---|---|
committer | Ole Trøan <otroan@employees.org> | 2019-07-22 10:11:32 +0000 |
commit | f7c30df4bbeace3917164b249724d8cf0d8a6fec (patch) | |
tree | d13a8f21909d1544c15b73c2e311a68430be3d0f /src/vpp | |
parent | 1f50bf8fc57ebf78f9056185a342493be460a847 (diff) |
stats: fix use-after-free hash key string
Hash keys are not copied by the hash infrastructure, instead the pointer
is used directly. stat_segment_register_gauge() does not allocate a
private object for the key, causing issues when it is freed or reused.
Allocate a private object on insertion into the hashtable instead.
Type: fix
Fixes: 92e3082199d10add866894e86a9762d79a3536c4
Change-Id: Ifb6addfcaec81bdb7ea3512050ce55f06ef09a4c
Signed-off-by: Benoît Ganne <bganne@cisco.com>
Diffstat (limited to 'src/vpp')
-rw-r--r-- | src/vpp/stats/stat_segment.c | 10 |
1 files changed, 4 insertions, 6 deletions
diff --git a/src/vpp/stats/stat_segment.c b/src/vpp/stats/stat_segment.c index ec0bcf93690..1328ea815ae 100644 --- a/src/vpp/stats/stat_segment.c +++ b/src/vpp/stats/stat_segment.c @@ -67,12 +67,14 @@ lookup_or_create_hash_index (u8 * name, u32 next_vector_index) hash_pair_t *hp; /* Must be called in the context of the main heap */ - ASSERT (clib_mem_get_heap != sm->heap); + ASSERT (clib_mem_get_heap () != sm->heap); hp = hash_get_pair (sm->directory_vector_by_name, name); if (!hp) { - hash_set (sm->directory_vector_by_name, name, next_vector_index); + /* we allocate our private copy of 'name' */ + hash_set (sm->directory_vector_by_name, format (0, "%s%c", name, 0), + next_vector_index); index = next_vector_index; } else @@ -188,10 +190,6 @@ vlib_stats_register_error_index (void *oldheap, u8 * name, u64 * em_vec, shared_header->directory_offset = stat_segment_offset (shared_header, sm->directory_vector); } - else - { - vec_free (name); - } vlib_stat_segment_unlock (); } |