From 37665ea1c11ea13e681e37da669ea3581a84252d Mon Sep 17 00:00:00 2001
From: Benoît Ganne <bganne@cisco.com>
Date: Tue, 22 Jun 2021 15:39:16 +0200
Subject: ikev2: fix use-after-free
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Type: fix

Change-Id: Ia3bacefdad674807de873b5c457b8470f66193f3
Signed-off-by: Benoît Ganne <bganne@cisco.com>
---
 src/plugins/ikev2/ikev2.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'src/plugins/ikev2/ikev2.c')

diff --git a/src/plugins/ikev2/ikev2.c b/src/plugins/ikev2/ikev2.c
index 4f0e49fe5be..cfcbcd4bc5f 100644
--- a/src/plugins/ikev2/ikev2.c
+++ b/src/plugins/ikev2/ikev2.c
@@ -5208,7 +5208,8 @@ ikev2_mngr_process_fn (vlib_main_t * vm, vlib_node_runtime_t * rt,
 	vec_foreach (sai, to_be_deleted)
 	{
 	  sa = pool_elt_at_index (tkm->sas, sai[0]);
-	  u8 reinitiate = (sa->is_initiator && sa->profile_index != ~0);
+	  const u32 profile_index = sa->profile_index;
+	  const int reinitiate = (sa->is_initiator && profile_index != ~0);
 	  vec_foreach (c, sa->childs)
 	  {
 	    ikev2_delete_tunnel_interface (km->vnet_main, sa, c);
@@ -5220,7 +5221,7 @@ ikev2_mngr_process_fn (vlib_main_t * vm, vlib_node_runtime_t * rt,
 
 	  if (reinitiate)
 	    {
-	      p = pool_elt_at_index (km->profiles, sa->profile_index);
+	      p = pool_elt_at_index (km->profiles, profile_index);
 	      if (p)
 		{
 		  clib_error_t *e = ikev2_initiate_sa_init (vm, p->name);
-- 
cgit 1.2.3-korg