From 58519563acc0933771172941291b7d0de2ffeddc Mon Sep 17 00:00:00 2001
From: Benoît Ganne <bganne@cisco.com>
Date: Wed, 11 Sep 2019 16:40:04 +0200
Subject: hsa: fix memory management bugs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fix use-after-free and non-null terminated string.

Type: fix

Change-Id: Ibba2a6cae68c612a34477aa813b3bf27a0c8fc1f
Signed-off-by: Benoît Ganne <bganne@cisco.com>
---
 src/plugins/hs_apps/echo_client.c   | 10 +++++++---
 src/plugins/hs_apps/sapi/vpp_echo.c |  4 ++--
 2 files changed, 9 insertions(+), 5 deletions(-)

(limited to 'src/plugins')

diff --git a/src/plugins/hs_apps/echo_client.c b/src/plugins/hs_apps/echo_client.c
index dc1384ce4b5..076fca22deb 100644
--- a/src/plugins/hs_apps/echo_client.c
+++ b/src/plugins/hs_apps/echo_client.c
@@ -370,6 +370,7 @@ quic_echo_clients_qsession_connected_callback (u32 app_index, u32 api_context,
   u8 thread_index = vlib_get_thread_index ();
   session_endpoint_cfg_t sep = SESSION_ENDPOINT_CFG_NULL;
   u32 stream_n;
+  session_handle_t handle;
 
   DBG ("QUIC Connection handle %d", session_handle (s));
 
@@ -377,7 +378,7 @@ quic_echo_clients_qsession_connected_callback (u32 app_index, u32 api_context,
   a->uri = (char *) ecm->connect_uri;
   if (parse_uri (a->uri, &sep))
     return -1;
-  sep.parent_handle = session_handle (s);
+  sep.parent_handle = handle = session_handle (s);
 
   for (stream_n = 0; stream_n < ecm->quic_streams; stream_n++)
     {
@@ -394,8 +395,11 @@ quic_echo_clients_qsession_connected_callback (u32 app_index, u32 api_context,
 	}
       DBG ("QUIC stream %d connected", stream_n);
     }
-  vec_add1 (ecm->quic_session_index_by_thread[thread_index],
-	    session_handle (s));
+  /*
+   * 's' is no longer valid, its underlying pool could have been moved in
+   * vnet_connect()
+   */
+  vec_add1 (ecm->quic_session_index_by_thread[thread_index], handle);
   vec_free (a);
   return 0;
 }
diff --git a/src/plugins/hs_apps/sapi/vpp_echo.c b/src/plugins/hs_apps/sapi/vpp_echo.c
index 18997599113..c72bf18f264 100644
--- a/src/plugins/hs_apps/sapi/vpp_echo.c
+++ b/src/plugins/hs_apps/sapi/vpp_echo.c
@@ -160,7 +160,7 @@ print_global_stats (echo_main_t * em)
   s = format (0, "%U:%U",
 	      echo_format_timing_event, em->timing.start_event,
 	      echo_format_timing_event, em->timing.end_event);
-  fformat (stdout, "Timing %s\n", s);
+  fformat (stdout, "Timing %v\n", s);
   fformat (stdout, "-------- TX --------\n");
   fformat (stdout, "%lld bytes (%lld mbytes, %lld gbytes) in %.6f seconds\n",
 	   em->stats.tx_total, em->stats.tx_total / (1ULL << 20),
@@ -220,8 +220,8 @@ echo_free_sessions (echo_main_t * em)
     s = pool_elt_at_index (em->sessions, *session_index);
     echo_session_handle_add_del (em, s->vpp_session_handle,
 				 SESSION_INVALID_INDEX);
-    pool_put (em->sessions, s);
     clib_memset (s, 0xfe, sizeof (*s));
+    pool_put (em->sessions, s);
   }
 }
 
-- 
cgit 1.2.3-korg