From bfe737a1b29afea2e10248b8c9fa800148fbd573 Mon Sep 17 00:00:00 2001 From: Ivan Kelly Date: Fri, 7 Oct 2016 18:02:43 +0200 Subject: [PATCH] Fix double free in af_packet api/cli The api was allocating a vector for the name, passing it, then freeing it, on create. The cli allocated, passed then forgot about it. af_packet_create_if was storing a reference to the name, which in the case of the api, meant it was referencing dead memory. On af_packet_delete_if this reference was freed, so in the api case, there was a double free. Also, the cli for delete leaked the name. Change-Id: I4d572bd2936eaf8ea7a0a8ff282e83ac2bf1b062 Signed-off-by: Ivan Kelly --- vnet/vnet/devices/af_packet/af_packet.c | 8 +++++--- vnet/vnet/devices/af_packet/cli.c | 2 ++ 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/vnet/vnet/devices/af_packet/af_packet.c b/vnet/vnet/devices/af_packet/af_packet.c index cec25fed035..91c3988b439 100644 --- a/vnet/vnet/devices/af_packet/af_packet.c +++ b/vnet/vnet/devices/af_packet/af_packet.c @@ -187,6 +187,7 @@ af_packet_create_if (vlib_main_t * vm, u8 * host_if_name, u8 * hw_addr_set, vnet_main_t *vnm = vnet_get_main (); uword *p; uword if_index; + u8 *host_if_name_dup = vec_dup (host_if_name); p = mhash_get (&apm->if_index_by_host_if_name, host_if_name); if (p) @@ -220,7 +221,7 @@ af_packet_create_if (vlib_main_t * vm, u8 * host_if_name, u8 * hw_addr_set, apif->tx_ring = ring + rx_req->tp_block_size * rx_req->tp_block_nr; apif->rx_req = rx_req; apif->tx_req = tx_req; - apif->host_if_name = host_if_name; + apif->host_if_name = host_if_name_dup; apif->per_interface_next_index = ~0; apif->next_tx_frame = 0; apif->next_rx_frame = 0; @@ -268,13 +269,14 @@ af_packet_create_if (vlib_main_t * vm, u8 * host_if_name, u8 * hw_addr_set, vnet_hw_interface_set_flags (vnm, apif->hw_if_index, VNET_HW_INTERFACE_FLAG_LINK_UP); - mhash_set_mem (&apm->if_index_by_host_if_name, host_if_name, &if_index, 0); + mhash_set_mem (&apm->if_index_by_host_if_name, host_if_name_dup, &if_index, + 0); if (sw_if_index) *sw_if_index = apif->sw_if_index; return 0; error: - vec_free (host_if_name); + vec_free (host_if_name_dup); vec_free (rx_req); vec_free (tx_req); return ret; diff --git a/vnet/vnet/devices/af_packet/cli.c b/vnet/vnet/devices/af_packet/cli.c index 87ec5182c74..2cbd415289e 100644 --- a/vnet/vnet/devices/af_packet/cli.c +++ b/vnet/vnet/devices/af_packet/cli.c @@ -65,6 +65,7 @@ af_packet_create_command_fn (vlib_main_t * vm, unformat_input_t * input, return clib_error_return (0, "missing host interface name"); r = af_packet_create_if (vm, host_if_name, hw_addr_ptr, &sw_if_index); + vec_free (host_if_name); if (r == VNET_API_ERROR_SYSCALL_ERROR_1) return clib_error_return (0, "%s (errno %d)", strerror (errno), errno); @@ -113,6 +114,7 @@ af_packet_delete_command_fn (vlib_main_t * vm, unformat_input_t * input, return clib_error_return (0, "missing host interface name"); af_packet_delete_if (vm, host_if_name); + vec_free (host_if_name); return 0; } -- 2.16.6