bgpd: Fix use-after-free for ORF case#22080
Merged
donaldsharp merged 1 commit intoMay 27, 2026
Merged
Conversation
This is similar to ffff1a1, and 3d43d7b. Just mirror and use the same pattern to avoid dangling pointers for orf_plist. ==1==ERROR: AddressSanitizer: heap-use-after-free on address 0x508000037638 at pc 0x7f4daf26dae3 bp 0x7fffb1118f40 sp 0x7fffb1118f30 READ of size 4 at 0x508000037638 thread T0 0 0x7f4daf26dae2 in prefix_list_apply_ext lib/plist.c:789 1 0x55b2c256c487 in subgroup_announce_check bgpd/bgp_route.c:2561 2 0x55b2c2574867 in subgroup_process_announce_selected bgpd/bgp_route.c:3720 3 0x55b2c267fd30 in subgroup_announce_table bgpd/bgp_updgrp_adv.c:853 4 0x55b2c2680174 in subgroup_announce_route bgpd/bgp_updgrp_adv.c:909 5 0x55b2c2672d25 in peer_af_announce_route bgpd/bgp_updgrp.c:2296 6 0x55b2c2537780 in bgp_announce_route_timer_expired bgpd/bgp_route.c:6650 7 0x7f4daf33e06f in event_call lib/event.c:2740 8 0x7f4daf159f39 in frr_run lib/libfrr.c:1258 9 0x55b2c229e612 in main bgpd/bgp_main.c:549 10 0x7f4dad6fa1c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 8e9fd827446c24067541ac5390e6f527fb5947bb) 0x508000037638 is located 24 bytes inside of 88-byte region [0x508000037620,0x508000037678) freed by thread T0 here: 0 0x7f4dafde24d8 in free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52 1 0x7f4daf1a6060 in qfree lib/memory.c:136 2 0x7f4daf26b1b7 in prefix_list_free lib/plist.c:156 3 0x7f4daf26b1b7 in prefix_list_delete lib/plist.c:247 4 0x7f4daf2714c2 in prefix_bgp_orf_remove_all lib/plist.c:1518 5 0x55b2c24f910d in bgp_route_refresh_receive bgpd/bgp_packet.c:2977 6 0x55b2c250809a in bgp_process_packet bgpd/bgp_packet.c:4167 7 0x7f4daf33e06f in event_call lib/event.c:2740 8 0x7f4daf159f39 in frr_run lib/libfrr.c:1258 9 0x55b2c229e612 in main bgpd/bgp_main.c:549 10 0x7f4dad6fa1c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 8e9fd827446c24067541ac5390e6f527fb5947bb) Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
Greptile SummaryThis PR fixes a use-after-free bug in
Confidence Score: 5/5This is a minimal, targeted bug fix with no regressions — assigning NULL to updgrp_peer->orf_plist when the peer's ORF prefix list is cleared is safe and correct. The change is a one-conditional removal that closes a clear memory-safety hole: previously, clearing peer->orf_plist after a free was never reflected in updgrp_peer->orf_plist, leaving it pointing at freed memory. The fix unconditionally synchronises the two pointers (including when the value is NULL), which is harmless in the non-ORF path and necessary in the ORF-removal path. No files require special attention. Important Files Changed
Sequence DiagramsequenceDiagram
participant Peer
participant bgp_route_refresh_receive
participant peer_orf_plist as peer->orf_plist[afi][safi]
participant updgrp_peer_orf as updgrp_peer->orf_plist[afi][safi]
Peer->>bgp_route_refresh_receive: ROUTE-REFRESH with ORF Remove-All
bgp_route_refresh_receive->>peer_orf_plist: prefix_bgp_orf_remove_all() set to NULL
Note over peer_orf_plist: pointer is now NULL (memory freed)
Note over bgp_route_refresh_receive: OLD CODE (bug): only syncs when non-NULL
bgp_route_refresh_receive--xupdgrp_peer_orf: skipped — updgrp_peer retains freed pointer (UAF!)
Note over bgp_route_refresh_receive: NEW CODE (fix): always syncs
bgp_route_refresh_receive->>updgrp_peer_orf: "updgrp_peer->orf_plist = NULL (safe)"
Reviews (1): Last reviewed commit: "bgpd: Fix use-after-free for ORF case" | Re-trigger Greptile |
Member
Author
|
@Mergifyio backport stable/10.6 stable/10.5 stable/10.4 stable/10.3 stable/10.2 |
✅ Backports have been createdDetails
|
This was referenced May 27, 2026
Jafaral
added a commit
that referenced
this pull request
May 28, 2026
bgpd: Fix use-after-free for ORF case (backport #22080)
donaldsharp
added a commit
that referenced
this pull request
May 28, 2026
bgpd: Fix use-after-free for ORF case (backport #22080)
donaldsharp
added a commit
that referenced
this pull request
May 28, 2026
bgpd: Fix use-after-free for ORF case (backport #22080)
donaldsharp
added a commit
that referenced
this pull request
May 28, 2026
bgpd: Fix use-after-free for ORF case (backport #22080)
donaldsharp
added a commit
that referenced
this pull request
May 28, 2026
bgpd: Fix use-after-free for ORF case (backport #22080)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.