Code Review
/
vpp.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
review
|
tree
raw
|
inline
| side by side
tcp: fix use-after-free
[vpp.git]
/
src
/
vnet
/
tcp
/
tcp_bt.c
diff --git
a/src/vnet/tcp/tcp_bt.c
b/src/vnet/tcp/tcp_bt.c
index
6f9ee01
..
eaec147
100644
(file)
--- a/
src/vnet/tcp/tcp_bt.c
+++ b/
src/vnet/tcp/tcp_bt.c
@@
-366,13
+366,17
@@
tcp_bt_track_rxt (tcp_connection_t * tc, u32 start, u32 end)
/* Head overlap */
if (bts->min_seq == start)
{
/* Head overlap */
if (bts->min_seq == start)
{
+ /* bts can be freed by bt_fix_overlapped() below */
+ tcp_bts_flags_t bts_flags = bts->flags;
+
prev_index = bts->prev;
next = bt_fix_overlapped (bt, bts, end, is_end);
prev_index = bts->prev;
next = bt_fix_overlapped (bt, bts, end, is_end);
+ /* bts is no longer valid from here */
next_index = bt_sample_index (bt, next);
cur = tcp_bt_alloc_tx_sample (tc, start, end);
cur->flags |= TCP_BTS_IS_RXT;
next_index = bt_sample_index (bt, next);
cur = tcp_bt_alloc_tx_sample (tc, start, end);
cur->flags |= TCP_BTS_IS_RXT;
- if (bts
->
flags & TCP_BTS_IS_RXT)
+ if (bts
_
flags & TCP_BTS_IS_RXT)
cur->flags |= TCP_BTS_IS_RXT_LOST;
cur->next = next_index;
cur->prev = prev_index;
cur->flags |= TCP_BTS_IS_RXT_LOST;
cur->next = next_index;
cur->prev = prev_index;