From 4adcdcd197a99c1adb0761ed9acedb3cfd1e37fb Mon Sep 17 00:00:00 2001
From: Benoît Ganne <bganne@cisco.com>
Date: Thu, 18 Jul 2019 18:38:42 +0200
Subject: session: fix use-after-free
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Make sure to reinitialize data before free-ing it.

Type: fix

Change-Id: I45727c456d0345204d4825ecdd9690c5ebeb5e94
Signed-off-by: Benoît Ganne <bganne@cisco.com>
(cherry picked from commit d4aeb84c3f066b755b723163da292eab95bd1ef9)
---
 src/plugins/sctp/sctp.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/plugins')

diff --git a/src/plugins/sctp/sctp.h b/src/plugins/sctp/sctp.h
index a99b01c1c0a..aa2409ecce8 100644
--- a/src/plugins/sctp/sctp.h
+++ b/src/plugins/sctp/sctp.h
@@ -607,11 +607,11 @@ always_inline void
 sctp_half_open_connection_del (sctp_connection_t * tc)
 {
   sctp_main_t *sctp_main = vnet_get_sctp_main ();
+  u32 index = tc->sub_conn[SCTP_PRIMARY_PATH_IDX].c_c_index;
   clib_spinlock_lock_if_init (&sctp_main->half_open_lock);
-  pool_put_index (sctp_main->half_open_connections,
-		  tc->sub_conn[SCTP_PRIMARY_PATH_IDX].c_c_index);
   if (CLIB_DEBUG)
     clib_memset (tc, 0xFA, sizeof (*tc));
+  pool_put_index (sctp_main->half_open_connections, index);
   clib_spinlock_unlock_if_init (&sctp_main->half_open_lock);
 }
 
-- 
cgit 1.2.3-korg