From d2db4d3a45e0c1ff0ce6fe298d0828014587b5f8 Mon Sep 17 00:00:00 2001
From: David Lamparter <equinox@opensourcerouting.org>
Date: Mon, 27 Sep 2021 10:33:33 +0200
Subject: [PATCH] pimd: fix UAF/heap corruption in BSM code

This `XFREE()` call is in plainly in the wrong spot.  `rp_all` (the
224.0.0.0/4 entry) isn't supposed to be free'd ever, and the
conditional above makes quite clear that it remains in use.

It may be possible to exploit this as a heap corruption bug, maybe even
as RCE.  I haven't tried; I randomly noticed this while working on the
BSM code.  Luckily this code is only run by the CLI for the clear
command, so the surface is very small.

Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
(cherry picked from commit 200f56710a462354f55e6189a0d10df03415c1e4)
---
 pimd/pim_cmd.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/pimd/pim_cmd.c b/pimd/pim_cmd.c
index f67a67703d..91b0ed5726 100644
--- a/pimd/pim_cmd.c
+++ b/pimd/pim_cmd.c
@@ -4146,10 +4146,9 @@ static void clear_pim_bsr_db(struct pim_instance *pim)
 			rpnode->info = NULL;
 			route_unlock_node(rpnode);
 			route_unlock_node(rpnode);
+			XFREE(MTYPE_PIM_RP, rp_info);
 		}
 
-		XFREE(MTYPE_PIM_RP, rp_info);
-
 		pim_free_bsgrp_node(bsgrp->scope->bsrp_table, &bsgrp->group);
 		pim_free_bsgrp_data(bsgrp);
 	}
-- 
2.39.5