diff options
| author | Pooja Jagadeesh Doijode <pdoijode@nvidia.com> | 2023-03-20 12:54:31 -0700 |
|---|---|---|
| committer | Pooja Jagadeesh Doijode <pdoijode@nvidia.com> | 2023-03-20 12:54:31 -0700 |
| commit | 7eefea98ba5d42dc3f042b509fe0f18a0e1d5548 (patch) | |
| tree | c1171a79ecb6f30ea91efd5639ab9707045b4fde /lib/if_rmap.c | |
| parent | c8cba1b88c952517ebe7f2ab2262a6ffb5499c0a (diff) | |
zebra: Fix for heap-use-after-free in EVPN
Issue:
When a netns is deleted, since zebra doesn’t receive interface down/delete
notifications from kernel, it manually deletes the interface without removing
the association between zebra_l3vni and the interface that is being deleted
(i.e it deletes the interface without setting “zl3vni->vxlan_if” to NULL).
Later, during the deletion of netns, when zl3vni_rmac_uninstall() is called to
uninstall the remote RMAC from the kernel, zebra ends up accessing stale
“zl3vni->vxlan_if” pointer, which now points to freed memory.
This was causing heap use-after-free.
Fix:
Before zebra starts deleting the interfaces when it receives netns delete notification,
appropriate functions() are being called to remove the association between evpn structs
and interface and set “zl3vni->vxlan_if” to NULL. This ensures that when
zl3vni_rmac_uninstall() is called during netns deletion, it will bail because
“zl3vni->vxlan_if” is NULL.
Signed-off-by: Pooja Jagadeesh Doijode <pdoijode@nvidia.com>
Diffstat (limited to 'lib/if_rmap.c')
0 files changed, 0 insertions, 0 deletions