From d4aeb84c3f066b755b723163da292eab95bd1ef9 Mon Sep 17 00:00:00 2001
From: Benoît Ganne <bganne@cisco.com>
Date: Thu, 18 Jul 2019 18:38:42 +0200
Subject: session: fix use-after-free
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Make sure to reinitialize data before free-ing it.

Type: fix

Change-Id: I45727c456d0345204d4825ecdd9690c5ebeb5e94
Signed-off-by: Benoît Ganne <bganne@cisco.com>
---
 src/vnet/udp/udp.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'src/vnet/udp')

diff --git a/src/vnet/udp/udp.c b/src/vnet/udp/udp.c
index 949c6356d33..fbd9e980181 100644
--- a/src/vnet/udp/udp.c
+++ b/src/vnet/udp/udp.c
@@ -58,9 +58,10 @@ udp_connection_alloc (u32 thread_index)
 void
 udp_connection_free (udp_connection_t * uc)
 {
-  pool_put (udp_main.connections[uc->c_thread_index], uc);
+  u32 thread_index = uc->c_thread_index;
   if (CLIB_DEBUG)
     clib_memset (uc, 0xFA, sizeof (*uc));
+  pool_put (udp_main.connections[thread_index], uc);
 }
 
 void
-- 
cgit 1.2.3-korg