From 21076e5d47ce294df4aa0e16cc92c183046f071e Mon Sep 17 00:00:00 2001 From: Dave Barach Date: Tue, 7 Aug 2018 12:46:18 -0400 Subject: [PATCH] Fix dangling reference in l2fib_scan(...) Deleting a bihash kvp frees the bucket's backing storage when the bucket reference count reaches zero. l2fib_scan MUST check for that condition, and stop scanning the bucket if it occurs. One of the L2 FIB extended "make test" vectors caused this issue 100% of the time. Change-Id: I250bcc4c1518e16042120fbc4032227a759a602e Signed-off-by: Dave Barach (cherry picked from commit 28374cada08df61180044e24cb758fa570e73c9d) --- src/vnet/l2/l2_fib.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/vnet/l2/l2_fib.c b/src/vnet/l2/l2_fib.c index 959cf4dea17..d891ced1080 100644 --- a/src/vnet/l2/l2_fib.c +++ b/src/vnet/l2/l2_fib.c @@ -1103,9 +1103,17 @@ l2fib_scan (vlib_main_t * vm, f64 start_time, u8 event_only) kv.key = key.raw; BV (clib_bihash_add_del) (&fm->mac_table, &kv, 0); learn_count--; + /* + * Note: we may have just freed the bucket's backing + * storage, so check right here... + */ + if (b->offset == 0) + goto doublebreak; } v++; } + doublebreak: + ; } /* keep learn count consistent */