]> git.proxmox.com Git - mirror_frr.git/commitdiff
projects / mirror_frr.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1f98f42)
ldpd: Clean up use after free in shutdown
authorDonald Sharp <sharpd@nvidia.com>
Sat, 3 Dec 2022 12:13:49 +0000 (07:13 -0500)
committerDonald Sharp <sharpd@nvidia.com>
Mon, 5 Dec 2022 13:49:57 +0000 (08:49 -0500)
Config data was being freed just prior to it
being used for cleanup in shutdown.  Prevent this
from happening.

./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-=================================================================
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142:==2274142==ERROR: AddressSanitizer: heap-use-after-free on address 0x61d00000c880 at pc 0x0000004d94d1 bp 0x7ffd46637810 sp 0
x7ffd46637808
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-READ of size 4 at 0x61d00000c880 thread T0
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    #0 0x4d94d0 in ldp_rtr_id_get /home/sharpd/frr8/ldpd/ldpd.c:983:20
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    #1 0x56ff92 in gen_ldp_hdr /home/sharpd/frr8/ldpd/packet.c:47:19
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    #2 0x56a4b0 in send_notification_full /home/sharpd/frr8/ldpd/notification.c:49:9
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    #3 0x56c4b3 in send_notification /home/sharpd/frr8/ldpd/notification.c:117:2
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    #4 0x573fb7 in session_shutdown /home/sharpd/frr8/ldpd/packet.c:666:3
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    #5 0x4e2ef1 in adj_del /home/sharpd/frr8/ldpd/adjacency.c:145:3
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    #6 0x55d425 in ldpe_shutdown /home/sharpd/frr8/ldpd/ldpe.c:231:3
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    #7 0x55a9a0 in ldpe_dispatch_main /home/sharpd/frr8/ldpd/ldpe.c:631:3
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    #8 0x7f0c00c035e6 in thread_call /home/sharpd/frr8/lib/thread.c:2006:2
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    #9 0x5586f2 in ldpe /home/sharpd/frr8/ldpd/ldpe.c:138:3
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    #10 0x4d46d2 in main /home/sharpd/frr8/ldpd/ldpd.c:339:3
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    #11 0x7f0c00476d09 in __libc_start_main csu/../csu/libc-start.c:308:16
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    #12 0x429cb9 in _start (/usr/lib/frr/ldpd+0x429cb9)
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-0x61d00000c880 is located 0 bytes inside of 2008-byte region [0x61d00000c880,0x61d00000d058)
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-freed by thread T0 here:
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    #0 0x4a3aad in free (/usr/lib/frr/ldpd+0x4a3aad)
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    #1 0x4de6c8 in config_clear /home/sharpd/frr8/ldpd/ldpd.c:2001:2
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    #2 0x55d12d in ldpe_shutdown /home/sharpd/frr8/ldpd/ldpe.c:211:2
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    #3 0x55a9a0 in ldpe_dispatch_main /home/sharpd/frr8/ldpd/ldpe.c:631:3
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    #4 0x7f0c00c035e6 in thread_call /home/sharpd/frr8/lib/thread.c:2006:2
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    #5 0x5586f2 in ldpe /home/sharpd/frr8/ldpd/ldpe.c:138:3
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    #6 0x4d46d2 in main /home/sharpd/frr8/ldpd/ldpd.c:339:3
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    #7 0x7f0c00476d09 in __libc_start_main csu/../csu/libc-start.c:308:16
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-previously allocated by thread T0 here:
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    #0 0x4a3ea2 in calloc (/usr/lib/frr/ldpd+0x4a3ea2)
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    #1 0x4d6146 in config_new_empty /home/sharpd/frr8/ldpd/ldpd.c:1967:10
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    #2 0x558678 in ldpe /home/sharpd/frr8/ldpd/ldpe.c:134:11
--
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    #4 0x7f0c00476d09 in __libc_start_main csu/../csu/libc-start.c:308:16

Signed-off-by: Donald Sharp <sharpd@nvidia.com>
ldpd/ldpe.c patch | blob | blame | history

diff --git a/ldpd/ldpe.c b/ldpd/ldpe.c
index 1b5c0e90fb6130b61b8efc3f55ef78cae50dff88..35d2bf21c97de6295a589bbf9bf246549598a5b8 100644 (file)
--- a/ldpd/ldpe.c
+++ b/ldpd/ldpe.c
@@ -208,7 +208,6 @@ ldpe_shutdown(void)
        iev_main_sync->ibuf.fd = -1;
 
        control_cleanup(ctl_sock_path);
-       config_clear(leconf);
 
 #ifdef __OpenBSD__
        if (sysdep.no_pfkey == 0) {
@@ -231,6 +230,7 @@ ldpe_shutdown(void)
                adj_del(adj, S_SHUTDOWN);
        }
 
+       config_clear(leconf);
        /* clean up */
        if (iev_lde)
                free(iev_lde);
FRRouting mirror