From 7efa9c53420379e4b848762796630facf6363471 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20Ganne?= Date: Thu, 18 Jul 2019 17:33:42 +0200 Subject: [PATCH] nat: fix use-after-free MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Type: fix Change-Id: Iac91c086c4e975f0bada058f40b7b7d4475377f8 Signed-off-by: BenoƮt Ganne (cherry picked from commit 7233846ce93fddef495a1029ca211f42afe046f2) --- src/plugins/nat/nat_inlines.h | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/src/plugins/nat/nat_inlines.h b/src/plugins/nat/nat_inlines.h index e3a6f1942f7..a7ab235f40e 100644 --- a/src/plugins/nat/nat_inlines.h +++ b/src/plugins/nat/nat_inlines.h @@ -172,8 +172,12 @@ nat44_delete_session (snat_main_t * sm, snat_session_t * ses, snat_main_per_thread_data_t *tsm = vec_elt_at_index (sm->per_thread_data, thread_index); clib_bihash_kv_8_8_t kv, value; - snat_user_key_t u_key; snat_user_t *u; + const snat_user_key_t u_key = { + .addr = ses->in2out.addr, + .fib_index = ses->in2out.fib_index + }; + const u8 u_static = snat_is_session_static (ses); clib_dlist_remove (tsm->list_pool, ses->per_user_index); pool_put_index (tsm->list_pool, ses->per_user_index); @@ -181,13 +185,11 @@ nat44_delete_session (snat_main_t * sm, snat_session_t * ses, vlib_set_simple_counter (&sm->total_sessions, thread_index, 0, pool_elts (tsm->sessions)); - u_key.addr = ses->in2out.addr; - u_key.fib_index = ses->in2out.fib_index; kv.key = u_key.as_u64; if (!clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value)) { u = pool_elt_at_index (tsm->users, value.value); - if (snat_is_session_static (ses)) + if (u_static) u->nstaticsessions--; else u->nsessions--;