diff options
| author | anlan_cs <vic.lan@pica8.com> | 2023-02-06 09:27:05 +0800 |
|---|---|---|
| committer | Mergify <37929162+mergify[bot]@users.noreply.github.com> | 2023-02-08 08:07:50 +0000 |
| commit | b3b3a910a693b2955a22bdd624ac66e6ead90c08 (patch) | |
| tree | 75089370d055487ce5a4504a372e1b78dde28b8c /zebra/zebra_errors.c | |
| parent | 2285f5aca8e58643314708aea9cda3c6aaa1b80b (diff) | |
bgpd: fix use-after-free crash for evpn
```
anlan(config-router-af)# vni 33
anlan(config-router-af-vni)# route-target both 44:55
anlan(config-router-af-vni)# no route-target both 44:55
vtysh: error reading from bgpd: Resource temporarily unavailable (11)Warning: closing connection to bgpd because of an I/O error!
```
When `bgp_evpn_vni_rt_cmd` deals with "both" type, it wrongly created
only one node ( should be two nodes ) for lists of both `vpn->import_rtl` and
`vpn->export_rtl`. At this time, the two lists are already wrong.
In `no route-target both RT`, it will free the single node from lists of both
`vpn->import_rtl` and `vpn->export_rtl`. After freed from `vpn->import_rtl`,
it is "use-after-free" at the time of freeing it from `vpn->export_rtl`.
It causes crash sometimes, or other unexpected behaviours.
This issue is introduced by commit `3b7e8d`, which have adjusted both
`bgp_evpn_vni_rt_cmd` and `bgp_evpn_vrf_rt_cmd`.
Since `bgp_evpn_vrf_rt_cmd/no_bgp_evpn_vrf_rt_cmd` works well again
unintentionally with commit `7022da`, only `bgp_evpn_vni_rt_cmd` needs to
modify - add two nodes for "both" type and some explicit comments for this
special case of "both" type.
Signed-off-by: anlan_cs <vic.lan@pica8.com>
(cherry picked from commit 432ff4b036860fb626f3027a7798038d594b8042)
Diffstat (limited to 'zebra/zebra_errors.c')
0 files changed, 0 insertions, 0 deletions