diff options
| author | anlan_cs <vic.lan@pica8.com> | 2023-02-06 09:27:05 +0800 |
|---|---|---|
| committer | anlan_cs <vic.lan@pica8.com> | 2023-02-06 21:39:22 +0800 |
| commit | 432ff4b036860fb626f3027a7798038d594b8042 (patch) | |
| tree | dae217b39bb87ec3001e4a7aea4eb4109967a7fc /lib/json.h | |
| parent | 51c48bdefdaabe957b9eac462e19593df8de51a4 (diff) | |
bgpd: fix use-after-free crash for evpn
```
anlan(config-router-af)# vni 33
anlan(config-router-af-vni)# route-target both 44:55
anlan(config-router-af-vni)# no route-target both 44:55
vtysh: error reading from bgpd: Resource temporarily unavailable (11)Warning: closing connection to bgpd because of an I/O error!
```
When `bgp_evpn_vni_rt_cmd` deals with "both" type, it wrongly created
only one node ( should be two nodes ) for lists of both `vpn->import_rtl` and
`vpn->export_rtl`. At this time, the two lists are already wrong.
In `no route-target both RT`, it will free the single node from lists of both
`vpn->import_rtl` and `vpn->export_rtl`. After freed from `vpn->import_rtl`,
it is "use-after-free" at the time of freeing it from `vpn->export_rtl`.
It causes crash sometimes, or other unexpected behaviours.
This issue is introduced by commit `3b7e8d`, which have adjusted both
`bgp_evpn_vni_rt_cmd` and `bgp_evpn_vrf_rt_cmd`.
Since `bgp_evpn_vrf_rt_cmd/no_bgp_evpn_vrf_rt_cmd` works well again
unintentionally with commit `7022da`, only `bgp_evpn_vni_rt_cmd` needs to
modify - add two nodes for "both" type and some explicit comments for this
special case of "both" type.
Signed-off-by: anlan_cs <vic.lan@pica8.com>
Diffstat (limited to 'lib/json.h')
0 files changed, 0 insertions, 0 deletions