diff options
| author | Quentin Young <qlyoung@cumulusnetworks.com> | 2017-09-21 16:03:17 -0400 |
|---|---|---|
| committer | Donald Sharp <sharpd@cumulusnetworks.com> | 2017-09-25 12:47:45 -0400 |
| commit | 33fb59c3286e53e905b112f7769afb5bb41feead (patch) | |
| tree | f32137513151e8687c8e18afdd6faddd011cd1ad /lib/libfrr.c | |
| parent | 5039c9d5787b71c1165f0167306d0f9b16732a5d (diff) | |
ospf6d: fix heap use after free
During the loop we save a pointer to the next route in the table in case
brouter is deleted during the course of the loop iteration. However when
we call ospf6_route_remove this can trigger ospf6_route_remove on other
routes in the table, one of which could be pointed at by said pointer.
Since ospf6_route_next locks the route that it returns, it won't
actually be deleted, instead the refcount will go to 1. In the next loop
iteration, nbrouter becomes brouter, and calling ospf6_route_next on
this one will finally decrement the refcount to 0, resulting in a free,
which causes subsequent reads on brouter to be UAF. Since the route will
have OSPF6_ROUTE_WAS_REMOVED set, provided the memory was not
overwritten before we got there, we'll continue on to the next one so it
is unlikely this will cause a crash in production.
Solution implemented is to check if we've deleted the route and continue
if so.
Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>
Diffstat (limited to 'lib/libfrr.c')
0 files changed, 0 insertions, 0 deletions