diff options
| author | Quentin Young <qlyoung@cumulusnetworks.com> | 2020-06-02 15:33:05 -0400 |
|---|---|---|
| committer | Quentin Young <qlyoung@nvidia.com> | 2020-08-11 14:26:33 -0400 |
| commit | ee723e13825920376a3938a5e3c0b355b4861e4a (patch) | |
| tree | d737eaf0a9143ea03b8aff1ab0fbffdfe23a6ec5 /vrrpd | |
| parent | 3a8f70b57cea88f846d02013574e63791660a1fb (diff) | |
vrrpd: don't allow autocreated vr's in NB layer
Changing properties on an autoconfigured VRRP instance results in its
pointer being stored as a userdata in the NB tree, leading to UAF when
autoconfigure deletes the instance and then later NB operations take
place using the now-stale pointer.
Ticket: CM-29850
Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>
Diffstat (limited to 'vrrpd')
| -rw-r--r-- | vrrpd/vrrp_northbound.c | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/vrrpd/vrrp_northbound.c b/vrrpd/vrrp_northbound.c index e9cd714a95..ad6775dd35 100644 --- a/vrrpd/vrrp_northbound.c +++ b/vrrpd/vrrp_northbound.c @@ -40,12 +40,22 @@ static int lib_interface_vrrp_vrrp_group_create(struct nb_cb_create_args *args) uint8_t version = 3; struct vrrp_vrouter *vr; - if (args->event != NB_EV_APPLY) - return NB_OK; - ifp = nb_running_get_entry(args->dnode, NULL, true); vrid = yang_dnode_get_uint8(args->dnode, "./virtual-router-id"); version = yang_dnode_get_enum(args->dnode, "./version"); + + switch (event) { + case NB_EV_VALIDATE: + vr = vrrp_lookup(ifp, vrid); + if (vr && vr->autoconf) + return NB_ERR_VALIDATION; + case NB_EV_PREPARE: + case NB_EV_ABORT: + return NB_OK; + case NB_EV_APPLY: + break; + } + vr = vrrp_vrouter_create(ifp, vrid, version); nb_running_set_entry(args->dnode, vr); |