bgpd: Fix use-after-free for ORF case (backport #22080)#22091
Merged
Conversation
This is similar to ffff1a1, and 3d43d7b. Just mirror and use the same pattern to avoid dangling pointers for orf_plist. ==1==ERROR: AddressSanitizer: heap-use-after-free on address 0x508000037638 at pc 0x7f4daf26dae3 bp 0x7fffb1118f40 sp 0x7fffb1118f30 READ of size 4 at 0x508000037638 thread T0 0 0x7f4daf26dae2 in prefix_list_apply_ext lib/plist.c:789 1 0x55b2c256c487 in subgroup_announce_check bgpd/bgp_route.c:2561 2 0x55b2c2574867 in subgroup_process_announce_selected bgpd/bgp_route.c:3720 3 0x55b2c267fd30 in subgroup_announce_table bgpd/bgp_updgrp_adv.c:853 4 0x55b2c2680174 in subgroup_announce_route bgpd/bgp_updgrp_adv.c:909 5 0x55b2c2672d25 in peer_af_announce_route bgpd/bgp_updgrp.c:2296 6 0x55b2c2537780 in bgp_announce_route_timer_expired bgpd/bgp_route.c:6650 7 0x7f4daf33e06f in event_call lib/event.c:2740 8 0x7f4daf159f39 in frr_run lib/libfrr.c:1258 9 0x55b2c229e612 in main bgpd/bgp_main.c:549 10 0x7f4dad6fa1c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 8e9fd827446c24067541ac5390e6f527fb5947bb) 0x508000037638 is located 24 bytes inside of 88-byte region [0x508000037620,0x508000037678) freed by thread T0 here: 0 0x7f4dafde24d8 in free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52 1 0x7f4daf1a6060 in qfree lib/memory.c:136 2 0x7f4daf26b1b7 in prefix_list_free lib/plist.c:156 3 0x7f4daf26b1b7 in prefix_list_delete lib/plist.c:247 4 0x7f4daf2714c2 in prefix_bgp_orf_remove_all lib/plist.c:1518 5 0x55b2c24f910d in bgp_route_refresh_receive bgpd/bgp_packet.c:2977 6 0x55b2c250809a in bgp_process_packet bgpd/bgp_packet.c:4167 7 0x7f4daf33e06f in event_call lib/event.c:2740 8 0x7f4daf159f39 in frr_run lib/libfrr.c:1258 9 0x55b2c229e612 in main bgpd/bgp_main.c:549 10 0x7f4dad6fa1c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 8e9fd827446c24067541ac5390e6f527fb5947bb) Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org> (cherry picked from commit 6ae21da)
|
Target branch is not in the allowed branches list. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an automatic backport of pull request #22080 done by [Mergify](https://mergify.com).