lisp: fix use-after-free

Type: fix

Change-Id: I42c3e3514ba50d40e09ee688d083f3e78fa0713a
Signed-off-by: Benoît Ganne <bganne@cisco.com>

diff --git a/src/vnet/lisp-cp/control.c b/src/vnet/lisp-cp/control.c
index 09f5c0a..0eb7b1d 100644 (file)
--- a/src/vnet/lisp-cp/control.c
+++ b/src/vnet/lisp-cp/control.c
@@ -1404,19 +1404,19 @@ vnet_lisp_del_mapping (gid_address_t * eid, u32 * res_map_index)
   gid_address_copy (&m_args->eid, eid);
   m_args->locator_set_index = old_map->locator_set_index;
 
-  /* delete mapping associated from map-cache */
-  vnet_lisp_map_cache_add_del (m_args, 0);
-
   ls_args->is_add = 0;
   ls_args->index = old_map->locator_set_index;
 
-  /* delete locator set */
-  vnet_lisp_add_del_locator_set (ls_args, 0);
-
   /* delete timer associated to the mapping if any */
   if (old_map->timer_set)
     mapping_delete_timer (lcm, mi);
 
+  /* delete locator set */
+  vnet_lisp_add_del_locator_set (ls_args, 0);
+
+  /* delete mapping associated from map-cache */
+  vnet_lisp_map_cache_add_del (m_args, 0);
+
   /* return old mapping index */
   if (res_map_index)
     res_map_index[0] = mi;
@@ -2010,8 +2010,8 @@ vnet_lisp_add_del_locator (vnet_lisp_add_del_locator_set_args_t * a,
              removed = 1;
              remove_locator_from_locator_set (ls, locit, ls_index, loc_id);
            }
-         if (0 == loc->local &&
-             !gid_address_cmp (&loc->address, &itloc->address))
+         else if (0 == loc->local &&
+                  !gid_address_cmp (&loc->address, &itloc->address))
            {
              removed = 1;
              remove_locator_from_locator_set (ls, locit, ls_index, loc_id);