Merge pull request #6158 from qlyoung/fix-cluster-list-uaf

bgpd: fix multiple bugs with cluster_list attrs
2025-08-13 01:52:27 +00:00 · 2020-04-06 17:38:27 +02:00 · 2020-04-06 17:38:27 +02:00 · f728a3bb99
commit f728a3bb99
parent e53181264a 628565c73d
2 changed files with 11 additions and 10 deletions
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@ -119,11 +119,11 @@ static void *cluster_hash_alloc(void *p)
 /* Cluster list related functions. */
 static struct cluster_list *cluster_parse(struct in_addr *pnt, int length)
 {
-	struct cluster_list tmp;
+	struct cluster_list tmp = {};
 	struct cluster_list *cluster;

 	tmp.length = length;
-	tmp.list = pnt;
+	tmp.list = length == 0 ? NULL : pnt;

 	cluster = hash_get(cluster_hash, &tmp, cluster_hash_alloc);
 	cluster->refcnt++;
@ -180,14 +180,16 @@ static struct cluster_list *cluster_intern(struct cluster_list *cluster)
 	return find;
 }

-void cluster_unintern(struct cluster_list *cluster)
+static void cluster_unintern(struct cluster_list **cluster)
 {
-	if (cluster->refcnt)
-		cluster->refcnt--;
+	if ((*cluster)->refcnt)
+		(*cluster)->refcnt--;

-	if (cluster->refcnt == 0) {
-		hash_release(cluster_hash, cluster);
-		cluster_free(cluster);
+	if ((*cluster)->refcnt == 0) {
+		void *p = hash_release(cluster_hash, *cluster);
+		assert(p == *cluster);
+		cluster_free(*cluster);
+		*cluster = NULL;
 	}
 }

@ -1035,7 +1037,7 @@ void bgp_attr_unintern_sub(struct attr *attr)
 	UNSET_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_LARGE_COMMUNITIES));

 	if (attr->cluster)
-		cluster_unintern(attr->cluster);
+		cluster_unintern(&attr->cluster);
 	UNSET_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_CLUSTER_LIST));

 	if (attr->transit)
--- a/bgpd/bgp_attr.h
+++ b/bgpd/bgp_attr.h
@ -335,7 +335,6 @@ extern unsigned long int attr_unknown_count(void);

 /* Cluster list prototypes. */
 extern bool cluster_loop_check(struct cluster_list *, struct in_addr);
-extern void cluster_unintern(struct cluster_list *);

 /* Below exported for unit-test purposes only */
 struct bgp_attr_parser_args {