ligang/vpp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

quic: fix use-after-free

Browse Source 
Type: fix

Change-Id: I5e5e37684e336ca992dae8ea1d39b1fb103802b1
Signed-off-by: Benoît Ganne <bganne@cisco.com>
This commit is contained in:
Benoît Ganne
2019-09-11 16:41:49 +02:00
parent b087696489
commit 6d6456ab42
1 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/plugins/quic/quic.c
View File

@ -1404,6 +1404,11 @@ quic_on_client_connected (quic_ctx_t * ctx)
/* If the app opens a stream in its callback it may invalidate ctx */ /* If the app opens a stream in its callback it may invalidate ctx */
ctx = quic_ctx_get (ctx_id, thread_index); ctx = quic_ctx_get (ctx_id, thread_index);
/*
* app_worker_connect_notify() might have reallocated pool, reload
* quic_session pointer
*/
quic_session = session_get (ctx->c_s_index, thread_index);
quic_session->session_state = SESSION_STATE_LISTENING; quic_session->session_state = SESSION_STATE_LISTENING;
return 0; return 0;
@ -1997,10 +2002,10 @@ quic_process_one_rx_packet (u64 udp_session_handle,
{ {
/* Right ctx found, create conn & remove from pool */ /* Right ctx found, create conn & remove from pool */
quic_create_connection(*ctx_index_ptr, sa, salen, packet_ctx->packet); quic_create_connection(*ctx_index_ptr, sa, salen, packet_ctx->packet);
pool_put (opening_ctx_pool, ctx_index_ptr);
*max_packet = packet_n + 1; *max_packet = packet_n + 1;
packet_ctx->thread_index = thread_index; packet_ctx->thread_index = thread_index;
packet_ctx->ctx_index = *ctx_index_ptr; packet_ctx->ctx_index = *ctx_index_ptr;
pool_put (opening_ctx_pool, ctx_index_ptr);
goto updateOffset; goto updateOffset;
} }
})); }));