fib: refresh adj pointer after fib_walk_sync due to possible realloc

fib_walk_sync may call adj_alloc which may cause adj_pool to expand. When that happens, any previous frame which still use the old adj pointer needs to refresh. Failure to do so may access or update to the old adj memory unintentionally and crash mysteriously. Type: fix Ticket: VPPSUPP-54 Signed-off-by: Steven Luong <sluong@cisco.com> Change-Id: I173dec4c5ce81c6e26c4fe011b894a7345901b24
FDio · Feb 3, 2020 · 3d5f622 · 3d5f622
1 parent 48ac1c2
commit 3d5f622
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 0 deletions.
diff --git a/src/vnet/adj/adj_nbr.c b/src/vnet/adj/adj_nbr.c
@@ -452,6 +452,12 @@ adj_nbr_update_rewrite_internal (ip_adjacency_t *adj,
 	};
 
 	fib_walk_sync(FIB_NODE_TYPE_ADJ, walk_ai, &bw_ctx);
+	/*
+	 * fib_walk_sync may allocate a new adjacency and potentially cuase a
+	 * realloc for adj_pool. When that happens, adj pointer is no longer
+	 * valid here. We refresh the adj pointer accordingly.
+	 */
+	adj = adj_get (ai);
     }
 
     /*

diff --git a/src/vnet/ip-neighbor/ip_neighbor.c b/src/vnet/ip-neighbor/ip_neighbor.c
@@ -615,6 +615,13 @@ ip_neighbor_update (vnet_main_t * vnm, adj_index_t ai)
 	   * wouldn't be bad either, but that's more code than i'm prepared to
 	   * write at this time for relatively little reward.
 	   */
+	  /*
+	   * adj_nbr_update_rewrite may actually call fib_walk_sync.
+	   * fib_walk_sync may allocate a new adjacency and potentially cause
+	   * a realloc for adj_pool. When that happens, adj pointer is no
+	   * longer valid here.x We refresh adj pointer accordingly.
+	   */
+	  adj = adj_get (ai);
 	  ip_neighbor_probe (adj);
 	}
       break;