]> git.puffer.fish Git - matthieu/frr.git/commitdiff
projects / matthieu / frr.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9d1ee3a)
ospfd: Prevent use after free( and crash of ospf ) when no router ospf
authorDonald Sharp <sharpd@nvidia.com>
Wed, 30 Aug 2023 14:33:29 +0000 (10:33 -0400)
committerDonatas Abraitis <donatas@opensourcerouting.org>
Thu, 31 Aug 2023 08:05:07 +0000 (11:05 +0300)
Consider this config:

router ospf
  redistribute kernel

Then you issue:

no router ospf

ospf will crash with a use after free.

The problem is that the event's associated with the
ospf pointer were shut off then the ospf_external_delete
was called which rescheduled the event.  Let's just move
event deletion to the end of the no router ospf.

Signed-off-by: Donald Sharp <sharpd@nvidia.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
ospfd/ospfd.c patch | blob | history

diff --git a/ospfd/ospfd.c b/ospfd/ospfd.c
index 51e937f42c4e0ea863121792e6428fd69d907d38..08044d63e5b19deb610d8dc055b6a0841c037fbb 100644 (file)
--- a/ospfd/ospfd.c
+++ b/ospfd/ospfd.c
@@ -801,25 +801,6 @@ static void ospf_finish_final(struct ospf *ospf)
                ospf_area_free(area);
        }
 
-       /* Cancel all timers. */
-       EVENT_OFF(ospf->t_read);
-       EVENT_OFF(ospf->t_write);
-       EVENT_OFF(ospf->t_spf_calc);
-       EVENT_OFF(ospf->t_ase_calc);
-       EVENT_OFF(ospf->t_maxage);
-       EVENT_OFF(ospf->t_maxage_walker);
-       EVENT_OFF(ospf->t_abr_task);
-       EVENT_OFF(ospf->t_abr_fr);
-       EVENT_OFF(ospf->t_asbr_check);
-       EVENT_OFF(ospf->t_asbr_nssa_redist_update);
-       EVENT_OFF(ospf->t_distribute_update);
-       EVENT_OFF(ospf->t_lsa_refresher);
-       EVENT_OFF(ospf->t_opaque_lsa_self);
-       EVENT_OFF(ospf->t_sr_update);
-       EVENT_OFF(ospf->t_default_routemap_timer);
-       EVENT_OFF(ospf->t_external_aggr);
-       EVENT_OFF(ospf->gr_info.t_grace_period);
-
        LSDB_LOOP (OPAQUE_AS_LSDB(ospf), rn, lsa)
                ospf_discard_from_db(ospf, ospf->lsdb, lsa);
        LSDB_LOOP (EXTERNAL_LSDB(ospf), rn, lsa)
@@ -907,8 +888,26 @@ static void ospf_finish_final(struct ospf *ospf)
                }
        }
 
-       route_table_finish(ospf->rt_aggr_tbl);
+       /* Cancel all timers. */
+       EVENT_OFF(ospf->t_read);
+       EVENT_OFF(ospf->t_write);
+       EVENT_OFF(ospf->t_spf_calc);
+       EVENT_OFF(ospf->t_ase_calc);
+       EVENT_OFF(ospf->t_maxage);
+       EVENT_OFF(ospf->t_maxage_walker);
+       EVENT_OFF(ospf->t_abr_task);
+       EVENT_OFF(ospf->t_abr_fr);
+       EVENT_OFF(ospf->t_asbr_check);
+       EVENT_OFF(ospf->t_asbr_nssa_redist_update);
+       EVENT_OFF(ospf->t_distribute_update);
+       EVENT_OFF(ospf->t_lsa_refresher);
+       EVENT_OFF(ospf->t_opaque_lsa_self);
+       EVENT_OFF(ospf->t_sr_update);
+       EVENT_OFF(ospf->t_default_routemap_timer);
+       EVENT_OFF(ospf->t_external_aggr);
+       EVENT_OFF(ospf->gr_info.t_grace_period);
 
+       route_table_finish(ospf->rt_aggr_tbl);
 
        ospf_free_refresh_queue(ospf);
 
Unnamed repository; edit this file 'description' to name the repository.