pimd: fix UAF/heap corruption in BSM code

This `XFREE()` call is in plainly in the wrong spot.  `rp_all` (the
224.0.0.0/4 entry) isn't supposed to be free'd ever, and the
conditional above makes quite clear that it remains in use.

It may be possible to exploit this as a heap corruption bug, maybe even
as RCE.  I haven't tried; I randomly noticed this while working on the
BSM code.  Luckily this code is only run by the CLI for the clear
command, so the surface is very small.

Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
(cherry picked from commit 200f56710a462354f55e6189a0d10df03415c1e4)

diff --git a/pimd/pim_cmd.c b/pimd/pim_cmd.c
index f67a67703d1be49735b5dc4159ba5935470039be..91b0ed5726f5c7151e060e6fbb7b48e67e0eb231 100644 (file)
--- a/pimd/pim_cmd.c
+++ b/pimd/pim_cmd.c
@@ -4146,10 +4146,9 @@ static void clear_pim_bsr_db(struct pim_instance *pim)
                        rpnode->info = NULL;
                        route_unlock_node(rpnode);
                        route_unlock_node(rpnode);
+                       XFREE(MTYPE_PIM_RP, rp_info);
                }
 
-               XFREE(MTYPE_PIM_RP, rp_info);
-
                pim_free_bsgrp_node(bsgrp->scope->bsrp_table, &bsgrp->group);
                pim_free_bsgrp_data(bsgrp);
        }