diff options
author | Benoît Ganne <bganne@cisco.com> | 2019-07-18 18:38:42 +0200 |
---|---|---|
committer | Andrew Yourtchenko <ayourtch@gmail.com> | 2019-10-11 11:46:42 +0000 |
commit | 4adcdcd197a99c1adb0761ed9acedb3cfd1e37fb (patch) | |
tree | bd128b6463483dc0e8843c3ed19256cdaed31eab /src | |
parent | 88af6c3f4a22d12674e7c598d0c77d0254cf0f47 (diff) |
session: fix use-after-free
Make sure to reinitialize data before free-ing it.
Type: fix
Change-Id: I45727c456d0345204d4825ecdd9690c5ebeb5e94
Signed-off-by: Benoît Ganne <bganne@cisco.com>
(cherry picked from commit d4aeb84c3f066b755b723163da292eab95bd1ef9)
Diffstat (limited to 'src')
-rw-r--r-- | src/plugins/sctp/sctp.h | 4 | ||||
-rw-r--r-- | src/vnet/session/application.c | 2 | ||||
-rw-r--r-- | src/vnet/session/application_worker.c | 2 | ||||
-rw-r--r-- | src/vnet/tcp/tcp.c | 2 | ||||
-rw-r--r-- | src/vnet/udp/udp.c | 3 |
5 files changed, 7 insertions, 6 deletions
diff --git a/src/plugins/sctp/sctp.h b/src/plugins/sctp/sctp.h index a99b01c1c0a..aa2409ecce8 100644 --- a/src/plugins/sctp/sctp.h +++ b/src/plugins/sctp/sctp.h @@ -607,11 +607,11 @@ always_inline void sctp_half_open_connection_del (sctp_connection_t * tc) { sctp_main_t *sctp_main = vnet_get_sctp_main (); + u32 index = tc->sub_conn[SCTP_PRIMARY_PATH_IDX].c_c_index; clib_spinlock_lock_if_init (&sctp_main->half_open_lock); - pool_put_index (sctp_main->half_open_connections, - tc->sub_conn[SCTP_PRIMARY_PATH_IDX].c_c_index); if (CLIB_DEBUG) clib_memset (tc, 0xFA, sizeof (*tc)); + pool_put_index (sctp_main->half_open_connections, index); clib_spinlock_unlock_if_init (&sctp_main->half_open_lock); } diff --git a/src/vnet/session/application.c b/src/vnet/session/application.c index d4f3d61ab61..583c4b055ee 100644 --- a/src/vnet/session/application.c +++ b/src/vnet/session/application.c @@ -52,9 +52,9 @@ static void app_listener_free (application_t * app, app_listener_t * app_listener) { clib_bitmap_free (app_listener->workers); - pool_put (app->listeners, app_listener); if (CLIB_DEBUG) clib_memset (app_listener, 0xfa, sizeof (*app_listener)); + pool_put (app->listeners, app_listener); } session_handle_t diff --git a/src/vnet/session/application_worker.c b/src/vnet/session/application_worker.c index 30edf3c32cc..c45679735b9 100644 --- a/src/vnet/session/application_worker.c +++ b/src/vnet/session/application_worker.c @@ -109,9 +109,9 @@ app_worker_free (app_worker_t * app_wrk) segment_manager_free (sm); } - pool_put (app_workers, app_wrk); if (CLIB_DEBUG) clib_memset (app_wrk, 0xfe, sizeof (*app_wrk)); + pool_put (app_workers, app_wrk); } application_t * diff --git a/src/vnet/tcp/tcp.c b/src/vnet/tcp/tcp.c index 75a45a448bd..8467ea4fd67 100644 --- a/src/vnet/tcp/tcp.c +++ b/src/vnet/tcp/tcp.c @@ -192,9 +192,9 @@ tcp_half_open_connection_del (tcp_connection_t * tc) { tcp_main_t *tm = vnet_get_tcp_main (); clib_spinlock_lock_if_init (&tm->half_open_lock); - pool_put_index (tm->half_open_connections, tc->c_c_index); if (CLIB_DEBUG) clib_memset (tc, 0xFA, sizeof (*tc)); + pool_put (tm->half_open_connections, tc); clib_spinlock_unlock_if_init (&tm->half_open_lock); } diff --git a/src/vnet/udp/udp.c b/src/vnet/udp/udp.c index 949c6356d33..fbd9e980181 100644 --- a/src/vnet/udp/udp.c +++ b/src/vnet/udp/udp.c @@ -58,9 +58,10 @@ udp_connection_alloc (u32 thread_index) void udp_connection_free (udp_connection_t * uc) { - pool_put (udp_main.connections[uc->c_thread_index], uc); + u32 thread_index = uc->c_thread_index; if (CLIB_DEBUG) clib_memset (uc, 0xFA, sizeof (*uc)); + pool_put (udp_main.connections[thread_index], uc); } void |