From 17bd30384cb3441d11cd65a00a3af76885288b78 Mon Sep 17 00:00:00 2001
From: Klement Sekera <ksekera@cisco.com>
Date: Wed, 24 Mar 2021 17:29:23 +0100
Subject: nat: correct thread index usage

Use actual thread index from hash table instead of doing calculation.
Calculated index might be different and could lead to crash.

Type: fix
Change-Id: Iede9a67fbe541cb44eccd0d6ddf4e2c51eb35423
Signed-off-by: Klement Sekera <ksekera@cisco.com>
---
 src/plugins/nat/nat44-ei/nat44_ei_ha.c     | 13 +++----------
 src/plugins/nat/nat44-ei/nat44_ei_in2out.c |  7 ++++++-
 src/plugins/nat/nat44-ei/nat44_ei_out2in.c |  7 ++++++-
 3 files changed, 15 insertions(+), 12 deletions(-)

(limited to 'src/plugins/nat/nat44-ei')

diff --git a/src/plugins/nat/nat44-ei/nat44_ei_ha.c b/src/plugins/nat/nat44-ei/nat44_ei_ha.c
index 344d104fe65..d94d07bdbfa 100644
--- a/src/plugins/nat/nat44-ei/nat44_ei_ha.c
+++ b/src/plugins/nat/nat44-ei/nat44_ei_ha.c
@@ -254,26 +254,19 @@ nat44_ei_ha_sadd (ip4_address_t *in_addr, u16 in_port, ip4_address_t *out_addr,
 static_always_inline void
 nat44_ei_ha_sdel (ip4_address_t *out_addr, u16 out_port,
 		  ip4_address_t *eh_addr, u16 eh_port, u8 proto, u32 fib_index,
-		  u32 ti)
+		  u32 thread_index)
 {
   nat44_ei_main_t *nm = &nat44_ei_main;
   clib_bihash_kv_8_8_t kv, value;
-  u32 thread_index;
   nat44_ei_session_t *s;
   nat44_ei_main_per_thread_data_t *tnm;
 
-  if (nm->num_workers > 1)
-    thread_index = nm->first_worker_index +
-		   (nm->workers[(clib_net_to_host_u16 (out_port) - 1024) /
-				nm->port_per_thread]);
-  else
-    thread_index = nm->num_workers;
-  tnm = vec_elt_at_index (nm->per_thread_data, thread_index);
-
   init_nat_k (&kv, *out_addr, out_port, fib_index, proto);
   if (clib_bihash_search_8_8 (&nm->out2in, &kv, &value))
     return;
 
+  ASSERT (thread_index == nat_value_get_thread_index (&value));
+  tnm = vec_elt_at_index (nm->per_thread_data, thread_index);
   s = pool_elt_at_index (tnm->sessions, nat_value_get_session_index (&value));
   nat44_ei_free_session_data_v2 (nm, s, thread_index, 1);
   nat44_ei_delete_session (nm, s, thread_index);
diff --git a/src/plugins/nat/nat44-ei/nat44_ei_in2out.c b/src/plugins/nat/nat44-ei/nat44_ei_in2out.c
index d1a962f5222..42923aa0f77 100644
--- a/src/plugins/nat/nat44-ei/nat44_ei_in2out.c
+++ b/src/plugins/nat/nat44-ei/nat44_ei_in2out.c
@@ -257,7 +257,12 @@ nat44_i2o_is_idle_session_cb (clib_bihash_kv_8_8_t * kv, void *arg)
     vec_elt_at_index (nm->per_thread_data, ctx->thread_index);
   clib_bihash_kv_8_8_t s_kv;
 
-  s = pool_elt_at_index (tnm->sessions, kv->value);
+  if (ctx->thread_index != nat_value_get_thread_index (kv))
+    {
+      return 0;
+    }
+
+  s = pool_elt_at_index (tnm->sessions, nat_value_get_session_index (kv));
   sess_timeout_time = s->last_heard + (f64) nat_session_get_timeout (
 					&nm->timeouts, s->nat_proto, s->state);
   if (ctx->now >= sess_timeout_time)
diff --git a/src/plugins/nat/nat44-ei/nat44_ei_out2in.c b/src/plugins/nat/nat44-ei/nat44_ei_out2in.c
index 1d5ebd33cd5..1f04ba056b5 100644
--- a/src/plugins/nat/nat44-ei/nat44_ei_out2in.c
+++ b/src/plugins/nat/nat44-ei/nat44_ei_out2in.c
@@ -110,7 +110,12 @@ nat44_o2i_is_idle_session_cb (clib_bihash_kv_8_8_t * kv, void *arg)
     vec_elt_at_index (nm->per_thread_data, ctx->thread_index);
   clib_bihash_kv_8_8_t s_kv;
 
-  s = pool_elt_at_index (tnm->sessions, kv->value);
+  if (ctx->thread_index != nat_value_get_thread_index (kv))
+    {
+      return 0;
+    }
+
+  s = pool_elt_at_index (tnm->sessions, nat_value_get_session_index (kv));
   sess_timeout_time = s->last_heard + (f64) nat_session_get_timeout (
 					&nm->timeouts, s->nat_proto, s->state);
   if (ctx->now >= sess_timeout_time)
-- 
cgit 1.2.3-korg