nat: set fib index for bypass session

Bihash key already contains rx_fib_index for lookup
but fib value for session itself is set to 0.

In the result bihash is allocated with key with fib index
set, but free function is looking for key with fib index set
to zero. It leads to use-after-free because session itself is
removed from pool but bihash is not because of key mismatch.

Type: fix

Signed-off-by: Vladimir Isaev <visaev@netgate.com>
Change-Id: I8ac5a41b0a5a32b1baab9e9d757141d5b24b7798

diff --git a/src/plugins/nat/nat.c b/src/plugins/nat/nat.c
index a7a8842..17d1b8f 100644 (file)
--- a/src/plugins/nat/nat.c
+++ b/src/plugins/nat/nat.c
@@ -213,6 +213,7 @@ nat_free_session_data (snat_main_t * sm, snat_session_t * s, u32 thread_index,
          l_addr = &s->in2out.addr;
          r_addr = &s->ext_host_addr;
          proto = nat_proto_to_ip_proto (s->nat_proto);
+         fib_index = s->in2out.fib_index;
          init_ed_k (&ed_kv, *l_addr, l_port, *r_addr, r_port, fib_index,
                     proto);
        }

diff --git a/src/plugins/nat/out2in_ed.c b/src/plugins/nat/out2in_ed.c
index de3595b..15cf480 100644 (file)
--- a/src/plugins/nat/out2in_ed.c
+++ b/src/plugins/nat/out2in_ed.c
@@ -481,7 +481,7 @@ create_bypass_for_fwd (snat_main_t * sm, vlib_buffer_t * b, ip4_header_t * ip,
          s->flags |= SNAT_SESSION_FLAG_UNKNOWN_PROTO;
          s->out2in.port = ip->protocol;
        }
-      s->out2in.fib_index = 0;
+      s->out2in.fib_index = rx_fib_index;
       s->in2out.addr = s->out2in.addr;
       s->in2out.port = s->out2in.port;
       s->in2out.fib_index = s->out2in.fib_index;