From f7c30df4bbeace3917164b249724d8cf0d8a6fec Mon Sep 17 00:00:00 2001
From: Benoît Ganne <bganne@cisco.com>
Date: Mon, 8 Jul 2019 14:39:02 +0200
Subject: stats: fix use-after-free hash key string
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Hash keys are not copied by the hash infrastructure, instead the pointer
is used directly. stat_segment_register_gauge() does not allocate a
private object for the key, causing issues when it is freed or reused.
Allocate a private object on insertion into the hashtable instead.

Type: fix
Fixes: 92e3082199d10add866894e86a9762d79a3536c4

Change-Id: Ifb6addfcaec81bdb7ea3512050ce55f06ef09a4c
Signed-off-by: Benoît Ganne <bganne@cisco.com>
---
 src/vlib/error.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

(limited to 'src/vlib/error.c')

diff --git a/src/vlib/error.c b/src/vlib/error.c
index ef506635ad9..58e13431d9f 100644
--- a/src/vlib/error.c
+++ b/src/vlib/error.c
@@ -160,15 +160,18 @@ vlib_register_errors (vlib_main_t * vm,
   /* Register counter indices in the stat segment directory */
   {
     int i;
-    u8 *error_name;
+    u8 *error_name = 0;
 
     for (i = 0; i < n_errors; i++)
       {
-	error_name = format (0, "/err/%v/%s%c", n->name, error_strings[i], 0);
-	/* Note: error_name consumed by the following call */
+	vec_reset_length (error_name);
+	error_name =
+	  format (error_name, "/err/%v/%s%c", n->name, error_strings[i], 0);
 	vlib_stats_register_error_index (oldheap, error_name, em->counters,
 					 n->error_heap_index + i);
       }
+
+    vec_free (error_name);
   }
 
   /* (re)register the em->counters base address, switch back to main heap */
-- 
cgit 1.2.3-korg