]> git.puffer.fish Git - mirror/frr.git/commit
projects / mirror / frr.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 663b42d) | patch
isisd, lib, ospfd, pathd: Null out free'd pointer 10949/head
authorDonald Sharp <sharpd@nvidia.com>
Thu, 31 Mar 2022 19:56:24 +0000 (15:56 -0400)
committermergify-bot <noreply@mergify.com>
Fri, 1 Apr 2022 07:30:04 +0000 (07:30 +0000)
commit8fbc203fcb9b46e4acd70ea8587da0b38440bd2a
treecf3da91d1fc922d3de2a38713ffd1cd8551d4896tree | snapshot
parent663b42dd209d50b31505a1be5e840d0b494b3e1acommit | diff
isisd, lib, ospfd, pathd: Null out free'd pointer

The commands:

router isis 1
  mpls-te on
  no mpls-te on
  mpls-te on
  no mpls-te on
!

Will crash

Valgrind gives us this:
==652336== Invalid read of size 8
==652336==    at 0x49AB25C: typed_rb_min (typerb.c:495)
==652336==    by 0x4943B54: vertices_const_first (link_state.h:424)
==652336==    by 0x493DCE4: vertices_first (link_state.h:424)
==652336==    by 0x493DADC: ls_ted_del_all (link_state.c:1010)
==652336==    by 0x47E77B: isis_instance_mpls_te_destroy (isis_nb_config.c:1871)
==652336==    by 0x495BE20: nb_callback_destroy (northbound.c:1131)
==652336==    by 0x495B5AC: nb_callback_configuration (northbound.c:1356)
==652336==    by 0x4958127: nb_transaction_process (northbound.c:1473)
==652336==    by 0x4958275: nb_candidate_commit_apply (northbound.c:906)
==652336==    by 0x49585B8: nb_candidate_commit (northbound.c:938)
==652336==    by 0x495CE4A: nb_cli_classic_commit (northbound_cli.c:64)
==652336==    by 0x495D6C5: nb_cli_apply_changes_internal (northbound_cli.c:250)
==652336==  Address 0x6f928e0 is 272 bytes inside a block of size 320 free'd
==652336==    at 0x48399AB: free (vg_replace_malloc.c:538)
==652336==    by 0x494BA30: qfree (memory.c:141)
==652336==    by 0x493D99D: ls_ted_del (link_state.c:997)
==652336==    by 0x493DC20: ls_ted_del_all (link_state.c:1018)
==652336==    by 0x47E77B: isis_instance_mpls_te_destroy (isis_nb_config.c:1871)
==652336==    by 0x495BE20: nb_callback_destroy (northbound.c:1131)
==652336==    by 0x495B5AC: nb_callback_configuration (northbound.c:1356)
==652336==    by 0x4958127: nb_transaction_process (northbound.c:1473)
==652336==    by 0x4958275: nb_candidate_commit_apply (northbound.c:906)
==652336==    by 0x49585B8: nb_candidate_commit (northbound.c:938)
==652336==    by 0x495CE4A: nb_cli_classic_commit (northbound_cli.c:64)
==652336==    by 0x495D6C5: nb_cli_apply_changes_internal (northbound_cli.c:250)
==652336==  Block was alloc'd at
==652336==    at 0x483AB65: calloc (vg_replace_malloc.c:760)
==652336==    by 0x494B6F8: qcalloc (memory.c:116)
==652336==    by 0x493D7D2: ls_ted_new (link_state.c:967)
==652336==    by 0x47E4DD: isis_instance_mpls_te_create (isis_nb_config.c:1832)
==652336==    by 0x495BB29: nb_callback_create (northbound.c:1034)
==652336==    by 0x495B547: nb_callback_configuration (northbound.c:1348)
==652336==    by 0x4958127: nb_transaction_process (northbound.c:1473)
==652336==    by 0x4958275: nb_candidate_commit_apply (northbound.c:906)
==652336==    by 0x49585B8: nb_candidate_commit (northbound.c:938)
==652336==    by 0x495CE4A: nb_cli_classic_commit (northbound_cli.c:64)
==652336==    by 0x495D6C5: nb_cli_apply_changes_internal (northbound_cli.c:250)
==652336==    by 0x495D23E: nb_cli_apply_changes (northbound_cli.c:268)

Let's null out the pointer.  After this change.  Valgrind no longer reports issues
and isisd no longer crashes.

Fixes: #10939
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
(cherry picked from commit aa5ced0ac866d1645075bef6325884dcb71a3703)
isisd/isis_nb_config.c diff | blob | history
lib/link_state.c diff | blob | history
lib/link_state.h diff | blob | history
ospfd/ospf_te.c diff | blob | history
pathd/path_ted.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.