From 592af4cc0aa25dd3f5d3a3d8fc4f0ae1f681ae74 Mon Sep 17 00:00:00 2001
From: Quentin Young <qlyoung@cumulusnetworks.com>
Date: Tue, 14 Jan 2020 01:18:44 -0500
Subject: [PATCH] zebra: fix iptable install heap UAF

My previous patch to fix a memory leak, caused by not properly freeing
the iptable iface list on stream parse failure, created/exposed a heap
use after free because we were not doing a deep copy

Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>
---
 zebra/zebra_pbr.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/zebra/zebra_pbr.c b/zebra/zebra_pbr.c
index 0c3adcdfa1..fe7a93a50c 100644
--- a/zebra/zebra_pbr.c
+++ b/zebra/zebra_pbr.c
@@ -652,12 +652,22 @@ static void *pbr_iptable_alloc_intern(void *arg)
 {
 	struct zebra_pbr_iptable *zpi;
 	struct zebra_pbr_iptable *new;
+	struct listnode *ln;
+	char *ifname;
 
 	zpi = (struct zebra_pbr_iptable *)arg;
 
 	new = XCALLOC(MTYPE_TMP, sizeof(struct zebra_pbr_iptable));
 
+	/* Deep structure copy */
 	memcpy(new, zpi, sizeof(*zpi));
+	new->interface_name_list = list_new();
+
+	if (zpi->interface_name_list) {
+		for (ALL_LIST_ELEMENTS_RO(zpi->interface_name_list, ln, ifname))
+			listnode_add(new->interface_name_list,
+				     XSTRDUP(MTYPE_PBR_IPTABLE_IFNAME, ifname));
+	}
 
 	return new;
 }
-- 
2.39.5