proxmox-mirrors/mirror_frr
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_frr synced 2025-06-14 13:22:02 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

zebra: Fix use-after-free issue in srte cleanup

Browse Source 
Currently, in `zebra_srte_client_close_cleanup` we use the `RB_FOREACH`
macro to traverse the SR policies tree. We remove the SR policies within
the loop. Removing elements from the tree and freeing them is not safe
and causes a use-after-free crash whenever the
`zebra_srte_client_close_cleanup` is called to perform cleanup.

This commit replaces the `RB_FOREACH` macro with its variant
`RB_FOREACH_SAFE`. Unlike `RB_FOREACH`, `RB_FOREACH_SAFE` permits both
the removal of tree elements as well as freeing them from within the
loop safely.

Signed-off-by: Carmine Scarpitta <carmine.scarpitta@uniroma2.it>
This commit is contained in:
Carmine Scarpitta 2022-11-18 13:19:14 +01:00
parent b7de3fe8a9
commit 22efe557f1
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
zebra/zebra_srte.c
View File

@ -387,13 +387,13 @@ int zebra_sr_policy_label_update(mpls_label_t label,
static int zebra_srte_client_close_cleanup(struct zserv *client)
{
int sock = client->sock;
struct zebra_sr_policy *policy;
struct zebra_sr_policy *policy, *policy_temp;
if (!sock)
return 0;
RB_FOREACH (policy, zebra_sr_policy_instance_head,
&zebra_sr_policy_instances) {
RB_FOREACH_SAFE (policy, zebra_sr_policy_instance_head,
&zebra_sr_policy_instances, policy_temp) {
if (policy->sock == sock)
zebra_sr_policy_del(policy);
}