Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ipcache: Fix refcounting with mix of APIs
Commit c96b9d8 ("ipcache: Remove superfluous if condition") triggers a double-free for cases a where there is a mix of users for older and newer internal ipcache APIs. In this scenario, the older ipcache APIs are used to inject entries into the ipcache, then InjectLabels() attempts to allocate a new security identity reference for the same CIDR and assumes that it already holds a reference to the corresponding identity and releases its own reference. If the other module ever releases its reference, then that results in freeing of the identity regardless of its continued expected usage by users of the newer ipcache APIs. This leads to policy recalculation that removes any datapath allow rules for the corresponding CIDRs, ultimately resulting in packet loss for the impacted CIDRs. One such example involves CIDR identity restore startup logic in the daemon. That path allocates identities then injects them into the ipcache using older APIs. If any such CIDRs are used by network policies, then the network policies subsystem will insert the CIDR into the ipcache using newer ipcache APIs, which will then trigger this double-free. Fixes: c96b9d8 ("ipcache: Remove superfluous if condition") Reported-by: Boris Petrovic <carnerito.b@gmail.com> Reported-by: Kim-Eirik Karlsen <kim.eirik@gmail.com> Reported-by: Jason Witkowski <jason@witkow.ski> Signed-off-by: Joe Stringer <joe@cilium.io>
- Loading branch information