From: Renato Westphal <renato@opensourcerouting.org>
Date: Tue, 10 Oct 2017 12:22:41 +0000 (-0300)
Subject: ldpd: fix heap-use-after-free at exit
X-Git-Tag: frr-4.0-dev~220^2~1
X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=50732983b93cd44f95bbb28b43ea8401c487b9cd;p=matthieu%2Ffrr.git

ldpd: fix heap-use-after-free at exit

This problems happens because, in this port, whenever the child
processes want to log something they send a message to the parent. But
in the shutdown functions the first thing we do is to close the pipes
to the parent process. With that said, add some protections to prevent
the child processes from trying to use a closed pipe and just ignore
their log messages during shutdown. In the future we need to share
the logging configuration with the child processes so they can send
log messages on their own.

While here, remove some unnecessary calls to msgbuf_write() in
ldpe_shutdown().

Fixes #1253.

Signed-off-by: Renato Westphal <renato@opensourcerouting.org>
---

diff --git a/ldpd/lde.c b/ldpd/lde.c
index 648eefa653..a7f933bbe5 100644
--- a/ldpd/lde.c
+++ b/ldpd/lde.c
@@ -185,11 +185,14 @@ lde_shutdown(void)
 	if (iev_ldpe) {
 		msgbuf_clear(&iev_ldpe->ibuf.w);
 		close(iev_ldpe->ibuf.fd);
+		iev_ldpe->ibuf.fd = -1;
 	}
 	msgbuf_clear(&iev_main->ibuf.w);
 	close(iev_main->ibuf.fd);
+	iev_main->ibuf.fd = -1;
 	msgbuf_clear(&iev_main_sync->ibuf.w);
 	close(iev_main_sync->ibuf.fd);
+	iev_main_sync->ibuf.fd = -1;
 
 	lde_gc_stop_timer();
 	lde_nbr_clear();
@@ -210,12 +213,16 @@ lde_shutdown(void)
 int
 lde_imsg_compose_parent(int type, pid_t pid, void *data, uint16_t datalen)
 {
+	if (iev_main->ibuf.fd == -1)
+		return (0);
 	return (imsg_compose_event(iev_main, type, 0, pid, -1, data, datalen));
 }
 
 void
 lde_imsg_compose_parent_sync(int type, pid_t pid, void *data, uint16_t datalen)
 {
+	if (iev_main_sync->ibuf.fd == -1)
+		return;
 	imsg_compose_event(iev_main_sync, type, 0, pid, -1, data, datalen);
 	imsg_flush(&iev_main_sync->ibuf);
 }
@@ -224,6 +231,8 @@ int
 lde_imsg_compose_ldpe(int type, uint32_t peerid, pid_t pid, void *data,
     uint16_t datalen)
 {
+	if (iev_ldpe->ibuf.fd == -1)
+		return (0);
 	return (imsg_compose_event(iev_ldpe, type, peerid, pid,
 	     -1, data, datalen));
 }
diff --git a/ldpd/ldpe.c b/ldpd/ldpe.c
index 3c8f8135e9..9d00bcd2b6 100644
--- a/ldpd/ldpe.c
+++ b/ldpd/ldpe.c
@@ -190,15 +190,16 @@ ldpe_shutdown(void)
 
 	/* close pipes */
 	if (iev_lde) {
-		msgbuf_write(&iev_lde->ibuf.w);
 		msgbuf_clear(&iev_lde->ibuf.w);
 		close(iev_lde->ibuf.fd);
+		iev_lde->ibuf.fd = -1;
 	}
-	msgbuf_write(&iev_main->ibuf.w);
 	msgbuf_clear(&iev_main->ibuf.w);
 	close(iev_main->ibuf.fd);
+	iev_main->ibuf.fd = -1;
 	msgbuf_clear(&iev_main_sync->ibuf.w);
 	close(iev_main_sync->ibuf.fd);
+	iev_main_sync->ibuf.fd = -1;
 
 	control_cleanup(ctl_sock_path);
 	config_clear(leconf);
@@ -236,12 +237,16 @@ ldpe_shutdown(void)
 int
 ldpe_imsg_compose_parent(int type, pid_t pid, void *data, uint16_t datalen)
 {
+	if (iev_main->ibuf.fd == -1)
+		return (0);
 	return (imsg_compose_event(iev_main, type, 0, pid, -1, data, datalen));
 }
 
 void
 ldpe_imsg_compose_parent_sync(int type, pid_t pid, void *data, uint16_t datalen)
 {
+	if (iev_main_sync->ibuf.fd == -1)
+		return;
 	imsg_compose_event(iev_main_sync, type, 0, pid, -1, data, datalen);
 	imsg_flush(&iev_main_sync->ibuf);
 }
@@ -250,6 +255,8 @@ int
 ldpe_imsg_compose_lde(int type, uint32_t peerid, pid_t pid, void *data,
     uint16_t datalen)
 {
+	if (iev_lde->ibuf.fd == -1)
+		return (0);
 	return (imsg_compose_event(iev_lde, type, peerid, pid, -1,
 	    data, datalen));
 }