From dfad26986077ff26b471c008a0fd77a79f767a3c Mon Sep 17 00:00:00 2001
From: Steven Luong <sluong@cisco.com>
Date: Wed, 29 Jan 2020 13:26:47 -0800
Subject: fib: refresh adj pointer after fib_walk_sync due to possible realloc

fib_walk_sync may call adj_alloc which may cause adj_pool to expand. When
that happens, any previous frame which still use the old adj pointer needs to
refresh. Failure to do so may access or update to the old adj memory
unintentionally and crash mysteriously.

Type: fix
Ticket: VPPSUPP-54

Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: Ia7c6cb03c1ed9ddbbfb12dd42c8abc7f5b3f210c
---
 src/vnet/adj/adj_nbr.c | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'src/vnet/adj/adj_nbr.c')

diff --git a/src/vnet/adj/adj_nbr.c b/src/vnet/adj/adj_nbr.c
index c80317a67a5..758be3bfe9e 100644
--- a/src/vnet/adj/adj_nbr.c
+++ b/src/vnet/adj/adj_nbr.c
@@ -449,6 +449,12 @@ adj_nbr_update_rewrite_internal (ip_adjacency_t *adj,
 	};
 
 	fib_walk_sync(FIB_NODE_TYPE_ADJ, walk_ai, &bw_ctx);
+	/*
+	 * fib_walk_sync may allocate a new adjacency and potentially cuase a realloc
+	 * for adj_pool. When that happens, adj pointer is no longer valid here.
+	 * We refresh the adj pointer accordingly.
+	 */
+	adj = adj_get (ai);
     }
 
     /*
-- 
cgit 1.2.3-korg