From 22efe557f148ae43f8a7732bd0865eb3f17ad67c Mon Sep 17 00:00:00 2001 From: Carmine Scarpitta Date: Fri, 18 Nov 2022 13:19:14 +0100 Subject: [PATCH] zebra: Fix use-after-free issue in srte cleanup Currently, in `zebra_srte_client_close_cleanup` we use the `RB_FOREACH` macro to traverse the SR policies tree. We remove the SR policies within the loop. Removing elements from the tree and freeing them is not safe and causes a use-after-free crash whenever the `zebra_srte_client_close_cleanup` is called to perform cleanup. This commit replaces the `RB_FOREACH` macro with its variant `RB_FOREACH_SAFE`. Unlike `RB_FOREACH`, `RB_FOREACH_SAFE` permits both the removal of tree elements as well as freeing them from within the loop safely. Signed-off-by: Carmine Scarpitta --- zebra/zebra_srte.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/zebra/zebra_srte.c b/zebra/zebra_srte.c index 7d95607fcf..746158c4b3 100644 --- a/zebra/zebra_srte.c +++ b/zebra/zebra_srte.c @@ -387,13 +387,13 @@ int zebra_sr_policy_label_update(mpls_label_t label, static int zebra_srte_client_close_cleanup(struct zserv *client) { int sock = client->sock; - struct zebra_sr_policy *policy; + struct zebra_sr_policy *policy, *policy_temp; if (!sock) return 0; - RB_FOREACH (policy, zebra_sr_policy_instance_head, - &zebra_sr_policy_instances) { + RB_FOREACH_SAFE (policy, zebra_sr_policy_instance_head, + &zebra_sr_policy_instances, policy_temp) { if (policy->sock == sock) zebra_sr_policy_del(policy); } -- 2.39.5