ipsec: fix use-after-free
When deleting interface from the API, 'hi' gets removed before
'h->sw_if_index' is copied.
Type: fix
Change-Id: I8e10108e9bdf95ab2fe002790d98262d583ca58c
Signed-off-by: Benoît Ganne <bganne@cisco.com>
diff --git a/src/vnet/ipsec/ipsec_if.c b/src/vnet/ipsec/ipsec_if.c
index f7f8ec7..a737274 100644
--- a/src/vnet/ipsec/ipsec_if.c
+++ b/src/vnet/ipsec/ipsec_if.c
@@ -268,12 +268,13 @@
int
ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm,
ipsec_add_del_tunnel_args_t * args,
- u32 * sw_if_index)
+ u32 * sw_if_index_p)
{
ipsec_tunnel_if_t *t;
ipsec_main_t *im = &ipsec_main;
vnet_hw_interface_t *hi = NULL;
u32 hw_if_index = ~0;
+ u32 sw_if_index = ~0;
uword *p;
u32 dev_instance;
ipsec_key_t crypto_key, integ_key;
@@ -385,6 +386,7 @@
t - im->tunnel_interfaces);
hi = vnet_get_hw_interface (vnm, hw_if_index);
+ sw_if_index = hi->sw_if_index;
t->hw_if_index = hw_if_index;
t->sw_if_index = hi->sw_if_index;
@@ -420,6 +422,8 @@
ti = p[0];
t = pool_elt_at_index (im->tunnel_interfaces, ti);
hi = vnet_get_hw_interface (vnm, t->hw_if_index);
+ sw_if_index = hi->sw_if_index;
+
vnet_sw_interface_set_flags (vnm, hi->sw_if_index, 0); /* admin down */
ipsec_tunnel_feature_set (im, t, 0);
@@ -440,8 +444,8 @@
pool_put (im->tunnel_interfaces, t);
}
- if (sw_if_index)
- *sw_if_index = hi->sw_if_index;
+ if (sw_if_index_p)
+ *sw_if_index_p = sw_if_index;
return 0;
}