proxmox-mirrors/mirror_frr
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_frr synced 2025-08-13 21:10:28 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

pimd: fix UAF/heap corruption in BSM code

Browse Source 
This `XFREE()` call is in plainly in the wrong spot.  `rp_all` (the
224.0.0.0/4 entry) isn't supposed to be free'd ever, and the
conditional above makes quite clear that it remains in use.

It may be possible to exploit this as a heap corruption bug, maybe even
as RCE.  I haven't tried; I randomly noticed this while working on the
BSM code.  Luckily this code is only run by the CLI for the clear
command, so the surface is very small.

Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
This commit is contained in:
David Lamparter 2021-09-27 10:33:33 +02:00
parent 83caa5e5c1
commit 200f56710a
1 changed files with 1 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
pimd/pim_cmd.c
View File

@ -4140,10 +4140,9 @@ static void clear_pim_bsr_db(struct pim_instance *pim)
rpnode->info = NULL; rpnode->info = NULL;
route_unlock_node(rpnode); route_unlock_node(rpnode);
route_unlock_node(rpnode); route_unlock_node(rpnode);
XFREE(MTYPE_PIM_RP, rp_info);
} }
XFREE(MTYPE_PIM_RP, rp_info);
pim_free_bsgrp_node(bsgrp->scope->bsrp_table, &bsgrp->group); pim_free_bsgrp_node(bsgrp->scope->bsrp_table, &bsgrp->group);
pim_free_bsgrp_data(bsgrp); pim_free_bsgrp_data(bsgrp);
} }