ipsec: fix use-after-free
When deleting interface from the API, 'hi' gets removed before 'h->sw_if_index' is copied. Type: fix Change-Id: I8e10108e9bdf95ab2fe002790d98262d583ca58c Signed-off-by: Benoît Ganne <bganne@cisco.com> (cherry picked from commit 8133c780a22480496c74a4ead321e8350d5beeb4)
This commit is contained in:
Benoît Ganne
committed by
Andrew Yourtchenko
Andrew Yourtchenko
parent
c385270341
commit
07228c09a6
@ -268,12 +268,13 @@ ipsec_tunnel_feature_set (ipsec_main_t * im, ipsec_tunnel_if_t * t, u8 enable)
|
||||
int
|
||||
ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm,
|
||||
ipsec_add_del_tunnel_args_t * args,
|
||||
u32 * sw_if_index)
|
||||
u32 * sw_if_index_p)
|
||||
{
|
||||
ipsec_tunnel_if_t *t;
|
||||
ipsec_main_t *im = &ipsec_main;
|
||||
vnet_hw_interface_t *hi = NULL;
|
||||
u32 hw_if_index = ~0;
|
||||
u32 sw_if_index = ~0;
|
||||
uword *p;
|
||||
u32 dev_instance;
|
||||
ipsec_key_t crypto_key, integ_key;
|
||||
@ -385,6 +386,7 @@ ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm,
|
||||
t - im->tunnel_interfaces);
|
||||
|
||||
hi = vnet_get_hw_interface (vnm, hw_if_index);
|
||||
sw_if_index = hi->sw_if_index;
|
||||
|
||||
t->hw_if_index = hw_if_index;
|
||||
t->sw_if_index = hi->sw_if_index;
|
||||
@ -420,6 +422,8 @@ ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm,
|
||||
ti = p[0];
|
||||
t = pool_elt_at_index (im->tunnel_interfaces, ti);
|
||||
hi = vnet_get_hw_interface (vnm, t->hw_if_index);
|
||||
sw_if_index = hi->sw_if_index;
|
||||
|
||||
vnet_sw_interface_set_flags (vnm, hi->sw_if_index, 0); /* admin down */
|
||||
|
||||
ipsec_tunnel_feature_set (im, t, 0);
|
||||
@ -440,8 +444,8 @@ ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm,
|
||||
pool_put (im->tunnel_interfaces, t);
|
||||
}
|
||||
|
||||
if (sw_if_index)
|
||||
*sw_if_index = hi->sw_if_index;
|
||||
if (sw_if_index_p)
|
||||
*sw_if_index_p = sw_if_index;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user