fib: refresh adj pointer after fib_walk_sync due to possible realloc

fib_walk_sync may call adj_alloc which may cause adj_pool to expand. When
that happens, any previous frame which still use the old adj pointer needs to
refresh. Failure to do so may access or update to the old adj memory
unintentionally and crash mysteriously.

Type: fix
Ticket: VPPSUPP-54

Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: Ia7c6cb03c1ed9ddbbfb12dd42c8abc7f5b3f210c
This commit is contained in:
Steven Luong
2020-01-29 13:26:47 -08:00
parent 0d40954b42
commit dfad269860
2 changed files with 20 additions and 0 deletions

View File

@ -449,6 +449,12 @@ adj_nbr_update_rewrite_internal (ip_adjacency_t *adj,
}; };
fib_walk_sync(FIB_NODE_TYPE_ADJ, walk_ai, &bw_ctx); fib_walk_sync(FIB_NODE_TYPE_ADJ, walk_ai, &bw_ctx);
/*
* fib_walk_sync may allocate a new adjacency and potentially cuase a realloc
* for adj_pool. When that happens, adj pointer is no longer valid here.
* We refresh the adj pointer accordingly.
*/
adj = adj_get (ai);
} }
/* /*

View File

@ -563,6 +563,13 @@ arp_update_adjacency (vnet_main_t * vnm, u32 sw_if_index, u32 ai)
* wouldn't be bad either, but that's more code than i'm prepared to * wouldn't be bad either, but that's more code than i'm prepared to
* write at this time for relatively little reward. * write at this time for relatively little reward.
*/ */
/*
* adj_nbr_update_rewrite may actually call fib_walk_sync.
* fib_walk_sync may allocate a new adjacency and potentially cause
* a realloc for adj_pool. When that happens, adj pointer is no
* longer valid here. We refresh adj pointer accordingly.
*/
adj = adj_get (ai);
arp_nbr_probe (adj); arp_nbr_probe (adj);
} }
break; break;
@ -574,6 +581,13 @@ arp_update_adjacency (vnet_main_t * vnm, u32 sw_if_index, u32 ai)
sw_if_index, sw_if_index,
VNET_LINK_IP4, VNET_LINK_IP4,
VNET_REWRITE_FOR_SW_INTERFACE_ADDRESS_BROADCAST)); VNET_REWRITE_FOR_SW_INTERFACE_ADDRESS_BROADCAST));
/*
* Caution: adj_nbr_update_rewrite may actually call fib_walk_sync.
* fib_walk_sync may allocate a new adjacency and potentially cause a
* realloc for adj_pool. When that happens, adj pointer is no longer
* valid here. Please refresh adj pointer accordingly if it is still
* needed after the aformentioned call.
*/
break; break;
case IP_LOOKUP_NEXT_MCAST: case IP_LOOKUP_NEXT_MCAST:
{ {