pimd: fix UAF/heap corruption in BSM code

This `XFREE()` call is in plainly in the wrong spot. `rp_all` (the 224.0.0.0/4 entry) isn't supposed to be free'd ever, and the conditional above makes quite clear that it remains in use. It may be possible to exploit this as a heap corruption bug, maybe even as RCE. I haven't tried; I randomly noticed this while working on the BSM code. Luckily this code is only run by the CLI for the clear command, so the surface is very small. Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
author: David Lamparter <equinox@opensourcerouting.org> 2021-09-27 10:33:33 +0200
committer: David Lamparter <equinox@opensourcerouting.org> 2021-09-27 10:37:23 +0200
commit: 200f56710a462354f55e6189a0d10df03415c1e4 (patch)
tree: 0406b1acf12b0d6a38b1b14a1044e9d7d976405f /pimd/pim_cmd.c
parent: 83caa5e5c1e05062977bdd77ede06d63d03c1ddf (diff)
1 files changed, 1 insertions, 2 deletions
diff --git a/pimd/pim_cmd.c b/pimd/pim_cmd.c
index 14aa710524..5fb2ddf732 100644
--- a/pimd/pim_cmd.c
+++ b/pimd/pim_cmd.c
@@ -4140,10 +4140,9 @@ static void clear_pim_bsr_db(struct pim_instance *pim)
 			rpnode->info = NULL;
 			route_unlock_node(rpnode);
 			route_unlock_node(rpnode);
+			XFREE(MTYPE_PIM_RP, rp_info);
 		}
 
-		XFREE(MTYPE_PIM_RP, rp_info);
-
 		pim_free_bsgrp_node(bsgrp->scope->bsrp_table, &bsgrp->group);
 		pim_free_bsgrp_data(bsgrp);
 	}
author	David Lamparter <equinox@opensourcerouting.org>	2021-09-27 10:33:33 +0200
committer	David Lamparter <equinox@opensourcerouting.org>	2021-09-27 10:37:23 +0200
commit	200f56710a462354f55e6189a0d10df03415c1e4 (patch)
tree	0406b1acf12b0d6a38b1b14a1044e9d7d976405f /pimd/pim_cmd.c
parent	83caa5e5c1e05062977bdd77ede06d63d03c1ddf (diff)