From b72e494f39c5338c71b77ac9b3496d810d6bfbbd Mon Sep 17 00:00:00 2001
From: Florin Coras <fcoras@cisco.com>
Date: Wed, 22 Apr 2020 22:07:43 +0000
Subject: tcp: avoid bt sample access after possible pool realloc

Type: fix

Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I98f943c8862fa74fb576f9ec1fb9186289b1216b
(cherry picked from commit c17ff6ec3b69ef228047bf346e0b524c48d2c96e)
---
 src/vnet/tcp/tcp_bt.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/vnet/tcp/tcp_bt.c b/src/vnet/tcp/tcp_bt.c
index 13022955cfe..d67a248b037 100644
--- a/src/vnet/tcp/tcp_bt.c
+++ b/src/vnet/tcp/tcp_bt.c
@@ -336,6 +336,7 @@ tcp_bt_track_rxt (tcp_connection_t * tc, u32 start, u32 end)
   tcp_bt_sample_t *bts, *next, *cur, *prev, *nbts;
   u32 bts_index, cur_index, next_index, prev_index, max_seq;
   u8 is_end = end == tc->snd_nxt;
+  tcp_bts_flags_t bts_flags;
 
   /* Contiguous blocks retransmitted at the same time */
   bts = bt_get_sample (bt, bt->last_ooo);
@@ -350,8 +351,10 @@ tcp_bt_track_rxt (tcp_connection_t * tc, u32 start, u32 end)
       return;
     }
 
-  /* Find original tx sample */
+  /* Find original tx sample and cache flags in case the sample
+   * is freed or the pool moves */
   bts = bt_lookup_seq (bt, start);
+  bts_flags = bts->flags;
 
   ASSERT (bts != 0 && seq_geq (start, bts->min_seq));
 
@@ -362,12 +365,9 @@ tcp_bt_track_rxt (tcp_connection_t * tc, u32 start, u32 end)
   /* Head overlap */
   if (bts->min_seq == start)
     {
-      /* bts can be freed by bt_fix_overlapped() below */
-      tcp_bts_flags_t bts_flags = bts->flags;
-
       prev_index = bts->prev;
       next = bt_fix_overlapped (bt, bts, end, is_end);
-      /* bts is no longer valid from here */
+      /* bts might no longer be valid from here */
       next_index = bt_sample_index (bt, next);
 
       cur = tcp_bt_alloc_tx_sample (tc, start, end);
@@ -414,7 +414,7 @@ tcp_bt_track_rxt (tcp_connection_t * tc, u32 start, u32 end)
   /* Have to split or tail overlap */
   cur = tcp_bt_alloc_tx_sample (tc, start, end);
   cur->flags |= TCP_BTS_IS_RXT;
-  if (bts->flags & TCP_BTS_IS_RXT)
+  if (bts_flags & TCP_BTS_IS_RXT)
     cur->flags |= TCP_BTS_IS_RXT_LOST;
   cur->prev = bts_index;
   cur_index = bt_sample_index (bt, cur);
-- 
cgit 1.2.3-korg