Fix double free in af_packet api/cli

The api was allocating a vector for the name, passing it, then freeing
it, on create. The cli allocated, passed then forgot about it.

af_packet_create_if was storing a reference to the name, which in the
case of the api, meant it was referencing dead memory. On
af_packet_delete_if this reference was freed, so in the api case, there
was a double free.

Also, the cli for delete leaked the name.

Change-Id: I4d572bd2936eaf8ea7a0a8ff282e83ac2bf1b062
Signed-off-by: Ivan Kelly <ivan@midokura.com>

diff --git a/vnet/vnet/devices/af_packet/af_packet.c b/vnet/vnet/devices/af_packet/af_packet.c
index cec25fe..91c3988 100644 (file)
--- a/vnet/vnet/devices/af_packet/af_packet.c
+++ b/vnet/vnet/devices/af_packet/af_packet.c
@@ -187,6 +187,7 @@ af_packet_create_if (vlib_main_t * vm, u8 * host_if_name, u8 * hw_addr_set,
   vnet_main_t *vnm = vnet_get_main ();
   uword *p;
   uword if_index;
+  u8 *host_if_name_dup = vec_dup (host_if_name);
 
   p = mhash_get (&apm->if_index_by_host_if_name, host_if_name);
   if (p)
@@ -220,7 +221,7 @@ af_packet_create_if (vlib_main_t * vm, u8 * host_if_name, u8 * hw_addr_set,
   apif->tx_ring = ring + rx_req->tp_block_size * rx_req->tp_block_nr;
   apif->rx_req = rx_req;
   apif->tx_req = tx_req;
-  apif->host_if_name = host_if_name;
+  apif->host_if_name = host_if_name_dup;
   apif->per_interface_next_index = ~0;
   apif->next_tx_frame = 0;
   apif->next_rx_frame = 0;
@@ -268,13 +269,14 @@ af_packet_create_if (vlib_main_t * vm, u8 * host_if_name, u8 * hw_addr_set,
   vnet_hw_interface_set_flags (vnm, apif->hw_if_index,
                               VNET_HW_INTERFACE_FLAG_LINK_UP);
 
-  mhash_set_mem (&apm->if_index_by_host_if_name, host_if_name, &if_index, 0);
+  mhash_set_mem (&apm->if_index_by_host_if_name, host_if_name_dup, &if_index,
+                0);
   if (sw_if_index)
     *sw_if_index = apif->sw_if_index;
   return 0;
 
 error:
-  vec_free (host_if_name);
+  vec_free (host_if_name_dup);
   vec_free (rx_req);
   vec_free (tx_req);
   return ret;

diff --git a/vnet/vnet/devices/af_packet/cli.c b/vnet/vnet/devices/af_packet/cli.c
index 87ec518..2cbd415 100644 (file)
--- a/vnet/vnet/devices/af_packet/cli.c
+++ b/vnet/vnet/devices/af_packet/cli.c
@@ -65,6 +65,7 @@ af_packet_create_command_fn (vlib_main_t * vm, unformat_input_t * input,
     return clib_error_return (0, "missing host interface name");
 
   r = af_packet_create_if (vm, host_if_name, hw_addr_ptr, &sw_if_index);
+  vec_free (host_if_name);
 
   if (r == VNET_API_ERROR_SYSCALL_ERROR_1)
     return clib_error_return (0, "%s (errno %d)", strerror (errno), errno);
@@ -113,6 +114,7 @@ af_packet_delete_command_fn (vlib_main_t * vm, unformat_input_t * input,
     return clib_error_return (0, "missing host interface name");
 
   af_packet_delete_if (vm, host_if_name);
+  vec_free (host_if_name);
 
   return 0;
 }