diff options
| author | Pooja Jagadeesh Doijode <pdoijode@nvidia.com> | 2023-03-20 12:54:31 -0700 |
|---|---|---|
| committer | Mergify <37929162+mergify[bot]@users.noreply.github.com> | 2023-03-21 11:05:09 +0000 |
| commit | e24c7991384a2e871c91a8ece5cc2324f32b0170 (patch) | |
| tree | e96e2a5863e06feb2836a71f691c11464f7f2f3f /lib/command.c | |
| parent | 8d2666fb039f8aac1f8f8a4ece92a2f4bf03200f (diff) | |
zebra: Fix for heap-use-after-free in EVPN
Issue:
When a netns is deleted, since zebra doesn’t receive interface down/delete
notifications from kernel, it manually deletes the interface without removing
the association between zebra_l3vni and the interface that is being deleted
(i.e it deletes the interface without setting “zl3vni->vxlan_if” to NULL).
Later, during the deletion of netns, when zl3vni_rmac_uninstall() is called to
uninstall the remote RMAC from the kernel, zebra ends up accessing stale
“zl3vni->vxlan_if” pointer, which now points to freed memory.
This was causing heap use-after-free.
Fix:
Before zebra starts deleting the interfaces when it receives netns delete notification,
appropriate functions() are being called to remove the association between evpn structs
and interface and set “zl3vni->vxlan_if” to NULL. This ensures that when
zl3vni_rmac_uninstall() is called during netns deletion, it will bail because
“zl3vni->vxlan_if” is NULL.
Signed-off-by: Pooja Jagadeesh Doijode <pdoijode@nvidia.com>
(cherry picked from commit 7eefea98ba5d42dc3f042b509fe0f18a0e1d5548)
Diffstat (limited to 'lib/command.c')
0 files changed, 0 insertions, 0 deletions