From 1890e9ce57a4b6dbc732f8f11d78001bea7c5855 Mon Sep 17 00:00:00 2001
From: Filip Tehlar <ftehlar@cisco.com>
Date: Wed, 2 Oct 2019 09:08:04 +0000
Subject: [PATCH 1/1] ikev2: fix dangling pointer

Type: fix

Change-Id: I8aa9029e0a5cf21aa24a90b39eb2787653f65abb
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
---
 src/plugins/ikev2/ikev2.c      | 39 ++++++++++++++++++++++++++-------------
 src/plugins/ikev2/ikev2_priv.h |  3 ++-
 2 files changed, 28 insertions(+), 14 deletions(-)

diff --git a/src/plugins/ikev2/ikev2.c b/src/plugins/ikev2/ikev2.c
index 3b47ee21724..e90f5a3bd3b 100644
--- a/src/plugins/ikev2/ikev2.c
+++ b/src/plugins/ikev2/ikev2.c
@@ -389,8 +389,9 @@ ikev2_complete_sa_data (ikev2_sa_t * sa, ikev2_sa_t * sai)
   sa->iaddr.as_u32 = sai->iaddr.as_u32;
   sa->raddr.as_u32 = sai->raddr.as_u32;
   sa->is_initiator = sai->is_initiator;
-  sa->profile = sai->profile;
   sa->i_id.type = sai->i_id.type;
+  sa->profile_index = sai->profile_index;
+  sa->is_profile_index_set = sai->is_profile_index_set;
   sa->i_id.data = _(sai->i_id.data);
   sa->i_auth.method = sai->i_auth.method;
   sa->i_auth.hex = sai->i_auth.hex;
@@ -1478,6 +1479,8 @@ static int
 ikev2_create_tunnel_interface (vnet_main_t * vnm, ikev2_sa_t * sa,
 			       ikev2_child_sa_t * child)
 {
+  ikev2_main_t *km = &ikev2_main;
+  ikev2_profile_t *p = 0;
   ipsec_add_del_tunnel_args_t a;
   ikev2_sa_transform_t *tr;
   ikev2_sa_proposal_t *proposals;
@@ -1628,11 +1631,14 @@ ikev2_create_tunnel_interface (vnet_main_t * vnm, ikev2_sa_t * sa,
   a.remote_crypto_key_len = vec_len (rem_ckey);
   clib_memcpy_fast (a.remote_crypto_key, rem_ckey, a.remote_crypto_key_len);
 
-  if (sa->profile && sa->profile->lifetime)
+  if (sa->is_profile_index_set)
+    p = pool_elt_at_index (km->profiles, sa->profile_index);
+
+  if (p && p->lifetime)
     {
-      child->time_to_expiration = vlib_time_now (vnm->vlib_main)
-	+ sa->profile->lifetime;
-      if (sa->profile->lifetime_jitter)
+      child->time_to_expiration =
+	vlib_time_now (vnm->vlib_main) + p->lifetime;
+      if (p->lifetime_jitter)
 	{
 	  // This is not much better than rand(3), which Coverity warns
 	  // is unsuitable for security applications; random_u32 is
@@ -1642,8 +1648,7 @@ ikev2_create_tunnel_interface (vnet_main_t * vnm, ikev2_sa_t * sa,
 	  u32 rnd = (u32) (vlib_time_now (vnm->vlib_main) * 1e6);
 	  rnd = random_u32 (&rnd);
 
-	  child->time_to_expiration +=
-	    1 + (rnd % sa->profile->lifetime_jitter);
+	  child->time_to_expiration += 1 + (rnd % p->lifetime_jitter);
 	}
     }
 
@@ -2996,7 +3001,8 @@ ikev2_initiate_sa_init (vlib_main_t * vm, u8 * name)
     ikev2_sa_free_proposal_vector (&proposals);
 
     sa.is_initiator = 1;
-    sa.profile = p;
+    sa.profile_index = km->profiles - p;
+    sa.is_profile_index_set = 1;
     sa.state = IKEV2_STATE_SA_INIT;
     ikev2_generate_sa_init_data (&sa);
     ikev2_payload_add_ke (chain, sa.dh_group, sa.i_dh_data);
@@ -3353,17 +3359,21 @@ static u8
 ikev2_mngr_process_child_sa (ikev2_sa_t * sa, ikev2_child_sa_t * csa)
 {
   ikev2_main_t *km = &ikev2_main;
+  ikev2_profile_t *p = 0;
   vlib_main_t *vm = km->vlib_main;
   f64 now = vlib_time_now (vm);
   u8 res = 0;
 
-  if (sa->is_initiator && sa->profile && csa->time_to_expiration
+  if (sa->is_profile_index_set)
+    p = pool_elt_at_index (km->profiles, sa->profile_index);
+
+  if (sa->is_initiator && p && csa->time_to_expiration
       && now > csa->time_to_expiration)
     {
       if (!csa->is_expired || csa->rekey_retries > 0)
 	{
 	  ikev2_rekey_child_sa_internal (vm, sa, csa);
-	  csa->time_to_expiration = now + sa->profile->handover;
+	  csa->time_to_expiration = now + p->handover;
 	  csa->is_expired = 1;
 	  if (csa->rekey_retries == 0)
 	    {
@@ -3399,6 +3409,7 @@ ikev2_mngr_process_ipsec_sa (ipsec_sa_t * ipsec_sa)
   vlib_main_t *vm = km->vlib_main;
   ikev2_main_per_thread_data_t *tkm;
   ikev2_sa_t *fsa = 0;
+  ikev2_profile_t *p = 0;
   ikev2_child_sa_t *fchild = 0;
   f64 now = vlib_time_now (vm);
   vlib_counter_t counts;
@@ -3423,10 +3434,12 @@ ikev2_mngr_process_ipsec_sa (ipsec_sa_t * ipsec_sa)
   vlib_get_combined_counter (&ipsec_sa_counters,
 			     ipsec_sa->stat_index, &counts);
 
-  if (fchild && fsa && fsa->profile && fsa->profile->lifetime_maxdata)
+  if (fsa && fsa->is_profile_index_set)
+    p = pool_elt_at_index (km->profiles, fsa->profile_index);
+
+  if (fchild && p && p->lifetime_maxdata)
     {
-      if (!fchild->is_expired
-	  && counts.bytes > fsa->profile->lifetime_maxdata)
+      if (!fchild->is_expired && counts.bytes > p->lifetime_maxdata)
 	{
 	  fchild->time_to_expiration = now;
 	}
diff --git a/src/plugins/ikev2/ikev2_priv.h b/src/plugins/ikev2/ikev2_priv.h
index cfdc24f797a..0fedc15310a 100644
--- a/src/plugins/ikev2/ikev2_priv.h
+++ b/src/plugins/ikev2/ikev2_priv.h
@@ -250,7 +250,8 @@ typedef struct
 
   u8 is_initiator;
   u32 last_init_msg_id;
-  ikev2_profile_t *profile;
+  u8 is_profile_index_set;
+  u32 profile_index;
 
   ikev2_child_sa_t *childs;
 } ikev2_sa_t;
-- 
2.16.6