]> git.puffer.fish Git - mirror/frr.git/commit
projects / mirror / frr.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 2f2e981) | patch
ospf6d: prevent use after free
authorDonald Sharp <sharpd@nvidia.com>
Sun, 31 Jan 2021 13:52:44 +0000 (08:52 -0500)
committerIgor Ryzhov <iryzhov@nfware.com>
Tue, 16 Feb 2021 17:57:39 +0000 (20:57 +0300)
commit0813d650a8120458ab7d9317061f3864dbc6f2f7
tree6bfe7c7813b42111a3fd90cac308a876e5524074tree | snapshot
parent2f2e981d967b36b240fca82fea8a961d927ef43ccommit | diff
ospf6d: prevent use after free

Valgrind reports:

2437395-==2437395== Invalid read of size 8
2437395:==2437395==    at 0x40B610: ospf6_asbr_update_route_ecmp_path (ospf6_asbr.c:327)
2437395-==2437395==    by 0x40BC7C: ospf6_asbr_lsa_add (ospf6_asbr.c:544)
2437395-==2437395==    by 0x40C5DF: ospf6_asbr_lsentry_add (ospf6_asbr.c:829)
2437395-==2437395==    by 0x42D88D: ospf6_top_brouter_hook_add (ospf6_top.c:185)
2437395-==2437395==    by 0x4188E3: ospf6_intra_brouter_calculation (ospf6_intra.c:2320)
2437395-==2437395==    by 0x42C624: ospf6_spf_calculation_thread (ospf6_spf.c:638)
2437395-==2437395==    by 0x4904B7E: thread_call (thread.c:1681)
2437395-==2437395==    by 0x48CAA27: frr_run (libfrr.c:1126)
2437395-==2437395==    by 0x40AF43: main (ospf6_main.c:232)
2437395-==2437395==  Address 0x5c668a8 is 24 bytes inside a block of size 256 free'd
2437395:==2437395==    at 0x48399AB: free (vg_replace_malloc.c:538)
2437395-==2437395==    by 0x429027: ospf6_route_delete (ospf6_route.c:419)
2437395-==2437395==    by 0x429027: ospf6_route_unlock (ospf6_route.c:460)
2437395-==2437395==    by 0x429027: ospf6_route_remove (ospf6_route.c:887)
2437395-==2437395==    by 0x40B343: ospf6_asbr_update_route_ecmp_path (ospf6_asbr.c:318)
2437395-==2437395==    by 0x40BC7C: ospf6_asbr_lsa_add (ospf6_asbr.c:544)
2437395-==2437395==    by 0x40C5DF: ospf6_asbr_lsentry_add (ospf6_asbr.c:829)
2437395-==2437395==    by 0x42D88D: ospf6_top_brouter_hook_add (ospf6_top.c:185)
2437395-==2437395==    by 0x4188E3: ospf6_intra_brouter_calculation (ospf6_intra.c:2320)
2437395-==2437395==    by 0x42C624: ospf6_spf_calculation_thread (ospf6_spf.c:638)
2437395-==2437395==    by 0x4904B7E: thread_call (thread.c:1681)
2437395-==2437395==    by 0x48CAA27: frr_run (libfrr.c:1126)
2437395-==2437395==    by 0x40AF43: main (ospf6_main.c:232)
2437395-==2437395==  Block was alloc'd at
2437395:==2437395==    at 0x483AB65: calloc (vg_replace_malloc.c:760)
2437395-==2437395==    by 0x48D2A32: qcalloc (memory.c:115)
2437395-==2437395==    by 0x427CE4: ospf6_route_create (ospf6_route.c:402)
2437395-==2437395==    by 0x40BA8A: ospf6_asbr_lsa_add (ospf6_asbr.c:490)
2437395-==2437395==    by 0x40C5DF: ospf6_asbr_lsentry_add (ospf6_asbr.c:829)
2437395-==2437395==    by 0x42D88D: ospf6_top_brouter_hook_add (ospf6_top.c:185)
2437395-==2437395==    by 0x4188E3: ospf6_intra_brouter_calculation (ospf6_intra.c:2320)
2437395-==2437395==    by 0x42C624: ospf6_spf_calculation_thread (ospf6_spf.c:638)
2437395-==2437395==    by 0x4904B7E: thread_call (thread.c:1681)
2437395-==2437395==    by 0x48CAA27: frr_run (libfrr.c:1126)
2437395-==2437395==    by 0x40AF43: main (ospf6_main.c:232)

ospfv3 loops through the ecmp routes to decide what to clean up.  In some
situations the code free's up an existing route at the head of the list.
Cleaning the pointers in the list but never touching the original pointer.
In that case notice and update the old pointer.

Signed-off-by: Donald Sharp <sharpd@nvidia.com>
ospf6d/ospf6_asbr.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.