Hi,
Just wanted to confirm if this Is an issue - so I can file a jira ticket.
Thanks,
-nagp
On Tue, May 30, 2017 at 1:19 PM, Nagaprabhanjan Bellaru <
nagp.li...@gmail.com> wrote:
> Hi,
>
> In the recent change made to the above function to register for ARP
> events, it looks like there is an access to the pool elements using
> pointers across a pool_get call.
>
> --
> while (p && *p != ~0)
> {
> mc = pool_elt_at_index (am->mac_changes, *p);
> if (mc->node_index == node_index && mc->type_opaque == type_opaque
> && mc->pid == pid)
> break;
> p = &mc->next_index;
> }
> --
>
> Above, p is pointing to a field inside a pool element. Then a pool
> allocation happens:
> --
> pool_get (am->mac_changes, mc);
> --
>
> And later the old p is used to set the new_idx - which is an issue because
> pool_get above would have re-allocated the pool memory.
> --
> if (p) {
> p[0] = new_idx;
> }
> --
>
> Please let me know if my understanding is correct, so I can file a jira
> ticket.
>
> Thanks,
> -nagp
>
_______________________________________________
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev
