diff options
| author | Donald Sharp <sharpd@cumulusnetworks.com> | 2017-10-10 12:57:22 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-10-10 12:57:22 -0400 |
| commit | a3a2db0a4a4cf4a87b5f7b68c027c95efd205c5a (patch) | |
| tree | d63e28ef6e54d1dd54a0095ad3be48b6a8e9a592 | |
| parent | 39271f2192e801968e02b3b149330060295ab6b0 (diff) | |
| parent | a901e098d70ce5f2e98039b2786c37db0830ee2a (diff) | |
Merge pull request #1319 from opensourcerouting/ldpd-use-after-free
ldpd: fix heap-use-after-free at exit
| -rw-r--r-- | ldpd/lde.c | 9 | ||||
| -rw-r--r-- | ldpd/ldpe.c | 11 | ||||
| -rw-r--r-- | ldpd/packet.c | 2 |
3 files changed, 19 insertions, 3 deletions
diff --git a/ldpd/lde.c b/ldpd/lde.c index 648eefa653..a7f933bbe5 100644 --- a/ldpd/lde.c +++ b/ldpd/lde.c @@ -185,11 +185,14 @@ lde_shutdown(void) if (iev_ldpe) { msgbuf_clear(&iev_ldpe->ibuf.w); close(iev_ldpe->ibuf.fd); + iev_ldpe->ibuf.fd = -1; } msgbuf_clear(&iev_main->ibuf.w); close(iev_main->ibuf.fd); + iev_main->ibuf.fd = -1; msgbuf_clear(&iev_main_sync->ibuf.w); close(iev_main_sync->ibuf.fd); + iev_main_sync->ibuf.fd = -1; lde_gc_stop_timer(); lde_nbr_clear(); @@ -210,12 +213,16 @@ lde_shutdown(void) int lde_imsg_compose_parent(int type, pid_t pid, void *data, uint16_t datalen) { + if (iev_main->ibuf.fd == -1) + return (0); return (imsg_compose_event(iev_main, type, 0, pid, -1, data, datalen)); } void lde_imsg_compose_parent_sync(int type, pid_t pid, void *data, uint16_t datalen) { + if (iev_main_sync->ibuf.fd == -1) + return; imsg_compose_event(iev_main_sync, type, 0, pid, -1, data, datalen); imsg_flush(&iev_main_sync->ibuf); } @@ -224,6 +231,8 @@ int lde_imsg_compose_ldpe(int type, uint32_t peerid, pid_t pid, void *data, uint16_t datalen) { + if (iev_ldpe->ibuf.fd == -1) + return (0); return (imsg_compose_event(iev_ldpe, type, peerid, pid, -1, data, datalen)); } diff --git a/ldpd/ldpe.c b/ldpd/ldpe.c index 3c8f8135e9..9d00bcd2b6 100644 --- a/ldpd/ldpe.c +++ b/ldpd/ldpe.c @@ -190,15 +190,16 @@ ldpe_shutdown(void) /* close pipes */ if (iev_lde) { - msgbuf_write(&iev_lde->ibuf.w); msgbuf_clear(&iev_lde->ibuf.w); close(iev_lde->ibuf.fd); + iev_lde->ibuf.fd = -1; } - msgbuf_write(&iev_main->ibuf.w); msgbuf_clear(&iev_main->ibuf.w); close(iev_main->ibuf.fd); + iev_main->ibuf.fd = -1; msgbuf_clear(&iev_main_sync->ibuf.w); close(iev_main_sync->ibuf.fd); + iev_main_sync->ibuf.fd = -1; control_cleanup(ctl_sock_path); config_clear(leconf); @@ -236,12 +237,16 @@ ldpe_shutdown(void) int ldpe_imsg_compose_parent(int type, pid_t pid, void *data, uint16_t datalen) { + if (iev_main->ibuf.fd == -1) + return (0); return (imsg_compose_event(iev_main, type, 0, pid, -1, data, datalen)); } void ldpe_imsg_compose_parent_sync(int type, pid_t pid, void *data, uint16_t datalen) { + if (iev_main_sync->ibuf.fd == -1) + return; imsg_compose_event(iev_main_sync, type, 0, pid, -1, data, datalen); imsg_flush(&iev_main_sync->ibuf); } @@ -250,6 +255,8 @@ int ldpe_imsg_compose_lde(int type, uint32_t peerid, pid_t pid, void *data, uint16_t datalen) { + if (iev_lde->ibuf.fd == -1) + return (0); return (imsg_compose_event(iev_lde, type, peerid, pid, -1, data, datalen)); } diff --git a/ldpd/packet.c b/ldpd/packet.c index be7f2ba649..4a4b258b91 100644 --- a/ldpd/packet.c +++ b/ldpd/packet.c @@ -494,7 +494,7 @@ session_read(struct thread *thread) msg_len = ntohs(msg->length); if (msg_len < LDP_MSG_LEN || (msg_len + LDP_MSG_DEAD_LEN) > pdu_len) { - session_shutdown(nbr, S_BAD_TLV_LEN, msg->id, + session_shutdown(nbr, S_BAD_MSG_LEN, msg->id, msg->type); free(buf); return (0); |