From 2c801f7ffb7475e3dec11ef6aef28d0cb1142561 Mon Sep 17 00:00:00 2001 From: Benoît Ganne Date: Wed, 22 Apr 2020 19:15:49 +0200 Subject: tcp: fix use-after-free MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit bts can be freed by the call to bt_fix_overlapped(). Save flags for later use. Type: fix Change-Id: If8b48c96ce39e38f2ed7f4db2815122523eb2e05 Signed-off-by: Benoît Ganne (cherry picked from commit a04adbf5368f9ec907508ff36d42fbd72d287120) --- src/vnet/tcp/tcp_bt.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/vnet/tcp/tcp_bt.c b/src/vnet/tcp/tcp_bt.c index b6649444eb5..13022955cfe 100644 --- a/src/vnet/tcp/tcp_bt.c +++ b/src/vnet/tcp/tcp_bt.c @@ -362,13 +362,17 @@ tcp_bt_track_rxt (tcp_connection_t * tc, u32 start, u32 end) /* Head overlap */ if (bts->min_seq == start) { + /* bts can be freed by bt_fix_overlapped() below */ + tcp_bts_flags_t bts_flags = bts->flags; + prev_index = bts->prev; next = bt_fix_overlapped (bt, bts, end, is_end); + /* bts is no longer valid from here */ next_index = bt_sample_index (bt, next); cur = tcp_bt_alloc_tx_sample (tc, start, end); cur->flags |= TCP_BTS_IS_RXT; - if (bts->flags & TCP_BTS_IS_RXT) + if (bts_flags & TCP_BTS_IS_RXT) cur->flags |= TCP_BTS_IS_RXT_LOST; cur->next = next_index; cur->prev = prev_index; -- cgit 1.2.3-korg