From ee723e13825920376a3938a5e3c0b355b4861e4a Mon Sep 17 00:00:00 2001
From: Quentin Young <qlyoung@cumulusnetworks.com>
Date: Tue, 2 Jun 2020 15:33:05 -0400
Subject: [PATCH] vrrpd: don't allow autocreated vr's in NB layer

Changing properties on an autoconfigured VRRP instance results in its
pointer being stored as a userdata in the NB tree, leading to UAF when
autoconfigure deletes the instance and then later NB operations take
place using the now-stale pointer.

Ticket: CM-29850
Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>
---
 vrrpd/vrrp_northbound.c | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/vrrpd/vrrp_northbound.c b/vrrpd/vrrp_northbound.c
index e9cd714a95..ad6775dd35 100644
--- a/vrrpd/vrrp_northbound.c
+++ b/vrrpd/vrrp_northbound.c
@@ -40,12 +40,22 @@ static int lib_interface_vrrp_vrrp_group_create(struct nb_cb_create_args *args)
 	uint8_t version = 3;
 	struct vrrp_vrouter *vr;
 
-	if (args->event != NB_EV_APPLY)
-		return NB_OK;
-
 	ifp = nb_running_get_entry(args->dnode, NULL, true);
 	vrid = yang_dnode_get_uint8(args->dnode, "./virtual-router-id");
 	version = yang_dnode_get_enum(args->dnode, "./version");
+
+	switch (event) {
+	case NB_EV_VALIDATE:
+		vr = vrrp_lookup(ifp, vrid);
+		if (vr && vr->autoconf)
+			return NB_ERR_VALIDATION;
+	case NB_EV_PREPARE:
+	case NB_EV_ABORT:
+		return NB_OK;
+	case NB_EV_APPLY:
+		break;
+	}
+
 	vr = vrrp_vrouter_create(ifp, vrid, version);
 	nb_running_set_entry(args->dnode, vr);