ping: fix double-free crash under VMWare hypervisor

bi0 retrieval from the ping reply events vector was incorrectly done
always from the first element.

For TBD reason the sending of the ping requests under VMWare was batched,
as a result the replies arrive close enough to make the events arrive as
an array, which exposed this bug. KVM never exhibited this behavior, which
explains not seeing this issue there.

Change-Id: I485d6f983571e25baa9407c21ef604937586d8bd
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>

diff --git a/src/vnet/ip/ping.c b/src/vnet/ip/ping.c
index 68dbe75..8888262 100644 (file)
--- a/src/vnet/ip/ping.c
+++ b/src/vnet/ip/ping.c
@@ -601,7 +601,7 @@ run_ping_ip46_address (vlib_main_t * vm, u32 table_id, ip4_address_t * pa4,
                int i;
                for (i = 0; i < vec_len (event_data); i++)
                  {
-                   u32 bi0 = event_data[0];
+                   u32 bi0 = event_data[i];
                    print_ip6_icmp_reply (vm, bi0);
                    n_replies++;
                    if (0 != bi0)
@@ -616,7 +616,7 @@ run_ping_ip46_address (vlib_main_t * vm, u32 table_id, ip4_address_t * pa4,
                int i;
                for (i = 0; i < vec_len (event_data); i++)
                  {
-                   u32 bi0 = event_data[0];
+                   u32 bi0 = event_data[i];
                    print_ip4_icmp_reply (vm, bi0);
                    n_replies++;
                    if (0 != bi0)