ldpd: fix heap-use-after-free at exit

This problems happens because, in this port, whenever the child
processes want to log something they send a message to the parent. But
in the shutdown functions the first thing we do is to close the pipes
to the parent process. With that said, add some protections to prevent
the child processes from trying to use a closed pipe and just ignore
their log messages during shutdown. In the future we need to share
the logging configuration with the child processes so they can send
log messages on their own.

While here, remove some unnecessary calls to msgbuf_write() in
ldpe_shutdown().

Fixes #1253.

Signed-off-by: Renato Westphal <renato@opensourcerouting.org>

diff --git a/ldpd/lde.c b/ldpd/lde.c
index 648eefa6530bf25eace9256c0324daf9d14f7fbc..a7f933bbe56e597a4a98df2c99072c523d2c5fde 100644 (file)
--- a/ldpd/lde.c
+++ b/ldpd/lde.c
@@ -185,11 +185,14 @@ lde_shutdown(void)
        if (iev_ldpe) {
                msgbuf_clear(&iev_ldpe->ibuf.w);
                close(iev_ldpe->ibuf.fd);
+               iev_ldpe->ibuf.fd = -1;
        }
        msgbuf_clear(&iev_main->ibuf.w);
        close(iev_main->ibuf.fd);
+       iev_main->ibuf.fd = -1;
        msgbuf_clear(&iev_main_sync->ibuf.w);
        close(iev_main_sync->ibuf.fd);
+       iev_main_sync->ibuf.fd = -1;
 
        lde_gc_stop_timer();
        lde_nbr_clear();
@@ -210,12 +213,16 @@ lde_shutdown(void)
 int
 lde_imsg_compose_parent(int type, pid_t pid, void *data, uint16_t datalen)
 {
+       if (iev_main->ibuf.fd == -1)
+               return (0);
        return (imsg_compose_event(iev_main, type, 0, pid, -1, data, datalen));
 }
 
 void
 lde_imsg_compose_parent_sync(int type, pid_t pid, void *data, uint16_t datalen)
 {
+       if (iev_main_sync->ibuf.fd == -1)
+               return;
        imsg_compose_event(iev_main_sync, type, 0, pid, -1, data, datalen);
        imsg_flush(&iev_main_sync->ibuf);
 }
@@ -224,6 +231,8 @@ int
 lde_imsg_compose_ldpe(int type, uint32_t peerid, pid_t pid, void *data,
     uint16_t datalen)
 {
+       if (iev_ldpe->ibuf.fd == -1)
+               return (0);
        return (imsg_compose_event(iev_ldpe, type, peerid, pid,
             -1, data, datalen));
 }

diff --git a/ldpd/ldpe.c b/ldpd/ldpe.c
index 3c8f8135e9d0ceacf8e2f87171e1c0e705352973..9d00bcd2b6a40eab0514eb6ff98ab38808902b8f 100644 (file)
--- a/ldpd/ldpe.c
+++ b/ldpd/ldpe.c
@@ -190,15 +190,16 @@ ldpe_shutdown(void)
 
        /* close pipes */
        if (iev_lde) {
-               msgbuf_write(&iev_lde->ibuf.w);
                msgbuf_clear(&iev_lde->ibuf.w);
                close(iev_lde->ibuf.fd);
+               iev_lde->ibuf.fd = -1;
        }
-       msgbuf_write(&iev_main->ibuf.w);
        msgbuf_clear(&iev_main->ibuf.w);
        close(iev_main->ibuf.fd);
+       iev_main->ibuf.fd = -1;
        msgbuf_clear(&iev_main_sync->ibuf.w);
        close(iev_main_sync->ibuf.fd);
+       iev_main_sync->ibuf.fd = -1;
 
        control_cleanup(ctl_sock_path);
        config_clear(leconf);
@@ -236,12 +237,16 @@ ldpe_shutdown(void)
 int
 ldpe_imsg_compose_parent(int type, pid_t pid, void *data, uint16_t datalen)
 {
+       if (iev_main->ibuf.fd == -1)
+               return (0);
        return (imsg_compose_event(iev_main, type, 0, pid, -1, data, datalen));
 }
 
 void
 ldpe_imsg_compose_parent_sync(int type, pid_t pid, void *data, uint16_t datalen)
 {
+       if (iev_main_sync->ibuf.fd == -1)
+               return;
        imsg_compose_event(iev_main_sync, type, 0, pid, -1, data, datalen);
        imsg_flush(&iev_main_sync->ibuf);
 }
@@ -250,6 +255,8 @@ int
 ldpe_imsg_compose_lde(int type, uint32_t peerid, pid_t pid, void *data,
     uint16_t datalen)
 {
+       if (iev_lde->ibuf.fd == -1)
+               return (0);
        return (imsg_compose_event(iev_lde, type, peerid, pid, -1,
            data, datalen));
 }