session: fix use-after-free

author Benoît Ganne <bganne@cisco.com>

Thu, 18 Jul 2019 16:38:42 +0000 (18:38 +0200)

committer Florin Coras <florin.coras@gmail.com>

Tue, 1 Oct 2019 21:57:09 +0000 (21:57 +0000)
author Benoît Ganne <bganne@cisco.com>
Thu, 18 Jul 2019 16:38:42 +0000 (18:38 +0200)
committer Florin Coras <florin.coras@gmail.com>
Tue, 1 Oct 2019 21:57:09 +0000 (21:57 +0000)
diff --git a/src/plugins/sctp/sctp.h b/src/plugins/sctp/sctp.h

index a99b01c..aa2409e 100644 (file)
--- a/src/plugins/sctp/sctp.h
+++ b/src/plugins/sctp/sctp.h
@@ -607,11 +607,11 @@ always_inline void
  sctp_half_open_connection_del (sctp_connection_t * tc)
  {
    sctp_main_t *sctp_main = vnet_get_sctp_main ();
+  u32 index = tc->sub_conn[SCTP_PRIMARY_PATH_IDX].c_c_index;
    clib_spinlock_lock_if_init (&sctp_main->half_open_lock);
-  pool_put_index (sctp_main->half_open_connections,
-                 tc->sub_conn[SCTP_PRIMARY_PATH_IDX].c_c_index);
    if (CLIB_DEBUG)
      clib_memset (tc, 0xFA, sizeof (*tc));
+  pool_put_index (sctp_main->half_open_connections, index);
    clib_spinlock_unlock_if_init (&sctp_main->half_open_lock);
  }
  
diff --git a/src/vnet/session/application.c b/src/vnet/session/application.c

index d4f3d61..583c4b0 100644 (file)
--- a/src/vnet/session/application.c
+++ b/src/vnet/session/application.c
@@ -52,9 +52,9 @@ static void
  app_listener_free (application_t * app, app_listener_t * app_listener)
  {
    clib_bitmap_free (app_listener->workers);
-  pool_put (app->listeners, app_listener);
    if (CLIB_DEBUG)
      clib_memset (app_listener, 0xfa, sizeof (*app_listener));
+  pool_put (app->listeners, app_listener);
  }
  
  session_handle_t
diff --git a/src/vnet/session/application_worker.c b/src/vnet/session/application_worker.c

index 30edf3c..c456797 100644 (file)
--- a/src/vnet/session/application_worker.c
+++ b/src/vnet/session/application_worker.c
@@ -109,9 +109,9 @@ app_worker_free (app_worker_t * app_wrk)
         segment_manager_free (sm);
      }
  
-  pool_put (app_workers, app_wrk);
    if (CLIB_DEBUG)
      clib_memset (app_wrk, 0xfe, sizeof (*app_wrk));
+  pool_put (app_workers, app_wrk);
  }
  
  application_t *
diff --git a/src/vnet/tcp/tcp.c b/src/vnet/tcp/tcp.c

index 75a45a4..8467ea4 100644 (file)
--- a/src/vnet/tcp/tcp.c
+++ b/src/vnet/tcp/tcp.c
@@ -192,9 +192,9 @@ tcp_half_open_connection_del (tcp_connection_t * tc)
  {
    tcp_main_t *tm = vnet_get_tcp_main ();
    clib_spinlock_lock_if_init (&tm->half_open_lock);
-  pool_put_index (tm->half_open_connections, tc->c_c_index);
    if (CLIB_DEBUG)
      clib_memset (tc, 0xFA, sizeof (*tc));
+  pool_put (tm->half_open_connections, tc);
    clib_spinlock_unlock_if_init (&tm->half_open_lock);
  }
  
diff --git a/src/vnet/udp/udp.c b/src/vnet/udp/udp.c

index 949c635..fbd9e98 100644 (file)
--- a/src/vnet/udp/udp.c
+++ b/src/vnet/udp/udp.c
@@ -58,9 +58,10 @@ udp_connection_alloc (u32 thread_index)
  void
  udp_connection_free (udp_connection_t * uc)
  {
-  pool_put (udp_main.connections[uc->c_thread_index], uc);
+  u32 thread_index = uc->c_thread_index;
    if (CLIB_DEBUG)
      clib_memset (uc, 0xFA, sizeof (*uc));
+  pool_put (udp_main.connections[thread_index], uc);
  }
  
  void
author	Benoît Ganne <bganne@cisco.com>
	Thu, 18 Jul 2019 16:38:42 +0000 (18:38 +0200)
committer	Florin Coras <florin.coras@gmail.com>
	Tue, 1 Oct 2019 21:57:09 +0000 (21:57 +0000)
src/plugins/sctp/sctp.h		patch \| blob \| history
src/vnet/session/application.c		patch \| blob \| history
src/vnet/session/application_worker.c		patch \| blob \| history
src/vnet/tcp/tcp.c		patch \| blob \| history
src/vnet/udp/udp.c		patch \| blob \| history