ikev2: fix use-after-free

author Benoît Ganne <bganne@cisco.com>

Tue, 22 Jun 2021 13:39:16 +0000 (15:39 +0200)

committer Damjan Marion <dmarion@me.com>

Fri, 20 Aug 2021 11:36:51 +0000 (11:36 +0000)
author Benoît Ganne <bganne@cisco.com>
Tue, 22 Jun 2021 13:39:16 +0000 (15:39 +0200)
committer Damjan Marion <dmarion@me.com>
Fri, 20 Aug 2021 11:36:51 +0000 (11:36 +0000)
diff --git a/src/plugins/ikev2/ikev2.c b/src/plugins/ikev2/ikev2.c

index 4f0e49f..cfcbcd4 100644 (file)
--- a/src/plugins/ikev2/ikev2.c
+++ b/src/plugins/ikev2/ikev2.c
@@ -5208,7 +5208,8 @@ ikev2_mngr_process_fn (vlib_main_t * vm, vlib_node_runtime_t * rt,
         vec_foreach (sai, to_be_deleted)
         {
           sa = pool_elt_at_index (tkm->sas, sai[0]);
-         u8 reinitiate = (sa->is_initiator && sa->profile_index != ~0);
+         const u32 profile_index = sa->profile_index;
+         const int reinitiate = (sa->is_initiator && profile_index != ~0);
           vec_foreach (c, sa->childs)
           {
             ikev2_delete_tunnel_interface (km->vnet_main, sa, c);
@@ -5220,7 +5221,7 @@ ikev2_mngr_process_fn (vlib_main_t * vm, vlib_node_runtime_t * rt,
  
           if (reinitiate)
             {
-             p = pool_elt_at_index (km->profiles, sa->profile_index);
+             p = pool_elt_at_index (km->profiles, profile_index);
               if (p)
                 {
                   clib_error_t *e = ikev2_initiate_sa_init (vm, p->name);
author	Benoît Ganne <bganne@cisco.com>
	Tue, 22 Jun 2021 13:39:16 +0000 (15:39 +0200)
committer	Damjan Marion <dmarion@me.com>
	Fri, 20 Aug 2021 11:36:51 +0000 (11:36 +0000)