From fcb879c96c9c8f237a5d057a8b105f2c120672d5 Mon Sep 17 00:00:00 2001
From: Benoît Ganne <bganne@cisco.com>
Date: Wed, 11 Sep 2019 16:41:49 +0200
Subject: quic: fix use-after-free
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Type: fix

Change-Id: I5e5e37684e336ca992dae8ea1d39b1fb103802b1
Signed-off-by: Benoît Ganne <bganne@cisco.com>
(cherry picked from commit 6d6456ab421ee30f14aded964bad2d3ba55bcf20)
---
 src/plugins/quic/quic.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/plugins/quic/quic.c b/src/plugins/quic/quic.c
index 4a465fcbe30..97f03e52f5b 100644
--- a/src/plugins/quic/quic.c
+++ b/src/plugins/quic/quic.c
@@ -1404,6 +1404,11 @@ quic_on_client_connected (quic_ctx_t * ctx)
 
   /*  If the app opens a stream in its callback it may invalidate ctx */
   ctx = quic_ctx_get (ctx_id, thread_index);
+  /*
+   * app_worker_connect_notify() might have reallocated pool, reload
+   * quic_session pointer
+   */
+  quic_session = session_get (ctx->c_s_index, thread_index);
   quic_session->session_state = SESSION_STATE_LISTENING;
 
   return 0;
@@ -1997,10 +2002,10 @@ quic_process_one_rx_packet (u64 udp_session_handle,
 	    {
 	      /*  Right ctx found, create conn & remove from pool */
 	      quic_create_connection(*ctx_index_ptr, sa, salen, packet_ctx->packet);
-	      pool_put (opening_ctx_pool, ctx_index_ptr);
 	      *max_packet = packet_n + 1;
 	      packet_ctx->thread_index = thread_index;
 	      packet_ctx->ctx_index = *ctx_index_ptr;
+	      pool_put (opening_ctx_pool, ctx_index_ptr);
 	      goto updateOffset;
 	    }
 	}));
-- 
cgit 1.2.3-korg