summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorAndrew Yourtchenko <ayourtch@gmail.com>2017-01-24 15:47:27 +0100
committerDave Wallace <dwallacelf@gmail.com>2017-01-24 16:57:57 +0000
commitf69ecfe09db52c672ccbe47e714bc9c9a70d5539 (patch)
tree2f2ddc071bcd6e088751114719ea39b50f3b4e18 /src
parent898171afd9c7d37bc223c6520edad54980ad12fb (diff)
ping: fix double-free crash under VMWare hypervisor
bi0 retrieval from the ping reply events vector was incorrectly done always from the first element. For TBD reason the sending of the ping requests under VMWare was batched, as a result the replies arrive close enough to make the events arrive as an array, which exposed this bug. KVM never exhibited this behavior, which explains not seeing this issue there. Change-Id: I485d6f983571e25baa9407c21ef604937586d8bd Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Diffstat (limited to 'src')
-rw-r--r--src/vnet/ip/ping.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/src/vnet/ip/ping.c b/src/vnet/ip/ping.c
index 68dbe759ebc..88882629426 100644
--- a/src/vnet/ip/ping.c
+++ b/src/vnet/ip/ping.c
@@ -601,7 +601,7 @@ run_ping_ip46_address (vlib_main_t * vm, u32 table_id, ip4_address_t * pa4,
int i;
for (i = 0; i < vec_len (event_data); i++)
{
- u32 bi0 = event_data[0];
+ u32 bi0 = event_data[i];
print_ip6_icmp_reply (vm, bi0);
n_replies++;
if (0 != bi0)
@@ -616,7 +616,7 @@ run_ping_ip46_address (vlib_main_t * vm, u32 table_id, ip4_address_t * pa4,
int i;
for (i = 0; i < vec_len (event_data); i++)
{
- u32 bi0 = event_data[0];
+ u32 bi0 = event_data[i];
print_ip4_icmp_reply (vm, bi0);
n_replies++;
if (0 != bi0)