]> git.proxmox.com Git - mirror_frr.git/commitdiff
projects / mirror_frr.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw (from parent 2: ce872c6)
Merge pull request #2390 from pacovn/Coverity_1221459_Use_after_free
authorDonald Sharp <sharpd@cumulusnetworks.com>
Fri, 8 Jun 2018 18:57:02 +0000 (14:57 -0400)
committerGitHub <noreply@github.com>
Fri, 8 Jun 2018 18:57:02 +0000 (14:57 -0400)
spf6d: fix use after free (Coverity 1221459)

lib/thread.c patch | blob | blame | history
pimd/pim_nht.c patch | blob | blame | history
pimd/pim_zlookup.c patch | blob | blame | history
zebra/zebra_vty.c patch | blob | blame | history
zebra/zebra_vxlan.c patch | blob | blame | history

diff --git a/lib/thread.c b/lib/thread.c
index f9ff16b7b3cd560b89642e944554f1e7ec88c441..18e1c922804cf43faad3302a2860582835ab79e2 100644 (file)
--- a/lib/thread.c
+++ b/lib/thread.c
@@ -60,7 +60,7 @@ static struct list *masters;
 /* CLI start ---------------------------------------------------------------- */
 static unsigned int cpu_record_hash_key(struct cpu_thread_history *a)
 {
-       int size = sizeof(&a->func);
+       int size = sizeof(a->func);
 
        return jhash(&a->func, size, 0);
 }
diff --git a/pimd/pim_nht.c b/pimd/pim_nht.c
index 3cbd11a9ae2a44be70fc1cc5f285e89ed0976bdb..fa6486a83e76312b406e2f9626809d85aa4044b8 100644 (file)
--- a/pimd/pim_nht.c
+++ b/pimd/pim_nht.c
@@ -667,7 +667,7 @@ int pim_parse_nexthop_update(int command, struct zclient *zclient,
                                 * RPF address from nexthop cache (i.e.
                                 * destination) as PIM nexthop.
                                 */
-                               nexthop->type = NEXTHOP_TYPE_IPV4;
+                               nexthop->type = NEXTHOP_TYPE_IPV4_IFINDEX;
                                nexthop->gate.ipv4 =
                                        pnc->rpf.rpf_addr.u.prefix4;
                                break;
diff --git a/pimd/pim_zlookup.c b/pimd/pim_zlookup.c
index 9295b231cb0236ac97cc7428f1d20c32b150d8d2..fb616e1b0dda8ea586c9993c3834516471a06c9a 100644 (file)
--- a/pimd/pim_zlookup.c
+++ b/pimd/pim_zlookup.c
@@ -215,6 +215,8 @@ static int zclient_read_nexthop(struct pim_instance *pim,
                                tab_size, addr_str, pim->vrf->name);
                        return num_ifindex;
                }
+               nexthop_tab[num_ifindex].protocol_distance = distance;
+               nexthop_tab[num_ifindex].route_metric = metric;
                switch (nexthop_type) {
                case NEXTHOP_TYPE_IFINDEX:
                        nexthop_tab[num_ifindex].ifindex = stream_getl(s);
@@ -276,13 +278,19 @@ static int zclient_read_nexthop(struct pim_instance *pim,
                        }
                        ++num_ifindex;
                        break;
-               case NEXTHOP_TYPE_IPV6:
-               case NEXTHOP_TYPE_BLACKHOLE:
-                       /* ignore */
-                       continue;
+               default:
+                       /* do nothing */
+                       {
+                               char addr_str[INET_ADDRSTRLEN];
+                               pim_inet4_dump("<addr?>", addr, addr_str,
+                                              sizeof(addr_str));
+                               zlog_warn(
+                                       "%s: found non-ifindex nexthop type=%d for address %s(%s)",
+                                       __PRETTY_FUNCTION__, nexthop_type,
+                                       addr_str, pim->vrf->name);
+                       }
+                       break;
                }
-               nexthop_tab[num_ifindex].protocol_distance = distance;
-               nexthop_tab[num_ifindex].route_metric = metric;
        }
 
        return num_ifindex;
diff --git a/zebra/zebra_vty.c b/zebra/zebra_vty.c
index eb11941a3a5f5843aa394f0dcfcf350ac2473d78..9ce8c74220042cb35164079d032c7a50dd8d3945 100644 (file)
--- a/zebra/zebra_vty.c
+++ b/zebra/zebra_vty.c
@@ -260,18 +260,22 @@ static int zebra_static_route_holdem(
                        return CMD_SUCCESS;
                }
 
-               XFREE(MTYPE_STATIC_ROUTE, shr->nhvrf_name);
-               XFREE(MTYPE_STATIC_ROUTE, shr->vrf_name);
-               XFREE(MTYPE_STATIC_ROUTE, shr);
                /*
                 * If a person enters the same line again
                 * we need to silently accept it
                 */
-               return CMD_SUCCESS;
+               goto shr_cleanup;
        }
 
-       if (!negate)
+       if (!negate) {
                listnode_add_sort(static_list, shr);
+               return CMD_SUCCESS;
+       }
+
+shr_cleanup:
+       XFREE(MTYPE_STATIC_ROUTE, shr->nhvrf_name);
+       XFREE(MTYPE_STATIC_ROUTE, shr->vrf_name);
+       XFREE(MTYPE_STATIC_ROUTE, shr);
 
        return CMD_SUCCESS;
 }
diff --git a/zebra/zebra_vxlan.c b/zebra/zebra_vxlan.c
index 98fa7ccf677a46d0e325cf075271d408ec6eb094..59f0cf52f0a1b46664f472442b23090663d568c3 100644 (file)
--- a/zebra/zebra_vxlan.c
+++ b/zebra/zebra_vxlan.c
@@ -1864,7 +1864,7 @@ static int zvni_gw_macip_del(struct interface *ifp, zebra_vni_t *zvni,
                zlog_debug(
                        "%u:SVI %s(%u) VNI %u, sending GW MAC %s IP %s del to BGP",
                        ifp->vrf_id, ifp->name, ifp->ifindex, zvni->vni,
-                       prefix_mac2str(&(n->emac), NULL, ETHER_ADDR_STRLEN),
+                       prefix_mac2str(&(n->emac), buf1, sizeof(buf1)),
                        ipaddr2str(ip, buf2, sizeof(buf2)));
 
        /* Remove neighbor from BGP. */
FRRouting mirror