From ab955b1b44f3d606cef51a9471a6562a7135ab3e Mon Sep 17 00:00:00 2001
From: Dave Barach <dave@barachs.net>
Date: Mon, 6 Aug 2018 08:43:47 -0400
Subject: fix dangling reference in foreach_key_value_pair

When the user deletes the last entry in a bihash bucket, the bihash
infra frees the bucket's backing storage. If this happens under
clib_bihash_foreach_key_value_pair - and the freed bucket happens to
be the bucket being traversed - the resulting dangling reference can
easily make the wheels fall off.

Simple fix: if (bucket-is-now-empty) double-break.

Change-Id: Idc44247a82ed5d0ba548507b4a53d4c8503ba8bb
Signed-off-by: Dave Barach <dave@barachs.net>
(cherry picked from commit ca45ee73d7c49c7f659c5cd690d3403d440e50f9)
---
 src/vppinfra/bihash_template.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/vppinfra/bihash_template.c b/src/vppinfra/bihash_template.c
index 89ae847c036..6b9e67157af 100644
--- a/src/vppinfra/bihash_template.c
+++ b/src/vppinfra/bihash_template.c
@@ -677,9 +677,16 @@ void BV (clib_bihash_foreach_key_value_pair)
 		continue;
 
 	      (*fp) (&v->kvp[k], arg);
+	      /*
+	       * In case the callback deletes the last entry in the bucket...
+	       */
+	      if (b->offset == 0)
+		goto doublebreak;
 	    }
 	  v++;
 	}
+    doublebreak:
+      ;
     }
 }
 
-- 
cgit 1.2.3-korg