From 464212db08fad3e61b1581040ed6381dc21287a0 Mon Sep 17 00:00:00 2001 From: Donatas Abraitis Date: Wed, 14 Aug 2024 10:16:01 +0300 Subject: [PATCH] bgpd: Avoid use-after-free when doing `no router bgp` with auto created instances ``` ==1145965==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030007159c0 at pc 0x55ade8d962d1 bp 0x7ffec4ce74c0 sp 0x7ffec4ce74b0 READ of size 8 at 0x6030007159c0 thread T0 0 0x55ade8d962d0 in no_router_bgp bgpd/bgp_vty.c:1701 1 0x7efe5aed19ed in cmd_execute_command_real lib/command.c:1002 2 0x7efe5aed1da3 in cmd_execute_command lib/command.c:1061 3 0x7efe5aed2303 in cmd_execute lib/command.c:1227 4 0x7efe5af6c023 in vty_command lib/vty.c:616 5 0x7efe5af6d2d2 in vty_execute lib/vty.c:1379 6 0x7efe5af77df2 in vtysh_read lib/vty.c:2374 7 0x7efe5af64c9b in event_call lib/event.c:1996 8 0x7efe5af03887 in frr_run lib/libfrr.c:1232 9 0x55ade8cd9850 in main bgpd/bgp_main.c:555 10 0x7efe5aa29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 11 0x7efe5aa29e3f in __libc_start_main_impl ../csu/libc-start.c:392 12 0x55ade8cdc314 in _start (/usr/lib/frr/bgpd+0x16f314) ``` Signed-off-by: Donatas Abraitis --- bgpd/bgp_vty.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/bgpd/bgp_vty.c b/bgpd/bgp_vty.c index a3180fd707..f09074c7cd 100644 --- a/bgpd/bgp_vty.c +++ b/bgpd/bgp_vty.c @@ -1695,15 +1695,18 @@ DEFUN (no_router_bgp, /* Cannot delete default instance if vrf instances exist */ if (bgp->inst_type == BGP_INSTANCE_TYPE_DEFAULT) { - struct listnode *node; + struct listnode *node, *nnode; struct bgp *tmp_bgp; - for (ALL_LIST_ELEMENTS_RO(bm->bgp, node, tmp_bgp)) { + for (ALL_LIST_ELEMENTS(bm->bgp, node, nnode, tmp_bgp)) { if (tmp_bgp->inst_type != BGP_INSTANCE_TYPE_VRF) continue; - if (CHECK_FLAG(tmp_bgp->vrf_flags, BGP_VRF_AUTO)) + if (CHECK_FLAG(tmp_bgp->vrf_flags, + BGP_VRF_AUTO)) { bgp_delete(tmp_bgp); + continue; + } if (CHECK_FLAG( tmp_bgp->af_flags[AFI_IP] -- 2.39.5