Hi,
In the recent change made to the above function to register for ARP events,
it looks like there is an access to the pool elements using pointers across
a pool_get call.
--
while (p && *p != ~0)
{
mc = pool_elt_at_index (am->mac_changes, *p);
if (mc->node_index == node_index && mc->type_opaque == type_opaque
&& mc->pid == pid)
break;
p = &mc->next_index;
}
--
Above, p is pointing to a field inside a pool element. Then a pool
allocation happens:
--
pool_get (am->mac_changes, mc);
--
And later the old p is used to set the new_idx - which is an issue because
pool_get above would have re-allocated the pool memory.
--
if (p) {
p[0] = new_idx;
}
--
Please let me know if my understanding is correct, so I can file a jira
ticket.
Thanks,
-nagp
_______________________________________________
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev
