proxmox-mirrors/mirror_frr
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_frr synced 2025-08-06 18:04:03 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #6158 from qlyoung/fix-cluster-list-uaf

Browse Source 
bgpd: fix multiple bugs with cluster_list attrs
This commit is contained in:
David Lamparter 2020-04-06 17:38:27 +02:00 committed by GitHub
commit f728a3bb99
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 11 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
bgpd/bgp_attr.c
View File

@ -119,11 +119,11 @@ static void *cluster_hash_alloc(void *p)
/* Cluster list related functions. */ /* Cluster list related functions. */
static struct cluster_list *cluster_parse(struct in_addr *pnt, int length) static struct cluster_list *cluster_parse(struct in_addr *pnt, int length)
{ {
struct cluster_list tmp; struct cluster_list tmp = {};
struct cluster_list *cluster; struct cluster_list *cluster;
tmp.length = length; tmp.length = length;
tmp.list = pnt; tmp.list = length == 0 ? NULL : pnt;
cluster = hash_get(cluster_hash, &tmp, cluster_hash_alloc); cluster = hash_get(cluster_hash, &tmp, cluster_hash_alloc);
cluster->refcnt++; cluster->refcnt++;
@ -180,14 +180,16 @@ static struct cluster_list *cluster_intern(struct cluster_list *cluster)
return find; return find;
} }
void cluster_unintern(struct cluster_list *cluster) static void cluster_unintern(struct cluster_list **cluster)
{ {
if (cluster->refcnt) if ((*cluster)->refcnt)
cluster->refcnt--; (*cluster)->refcnt--;
if (cluster->refcnt == 0) { if ((*cluster)->refcnt == 0) {
hash_release(cluster_hash, cluster); void *p = hash_release(cluster_hash, *cluster);
cluster_free(cluster); assert(p == *cluster);
cluster_free(*cluster);
*cluster = NULL;
} }
} }
@ -1035,7 +1037,7 @@ void bgp_attr_unintern_sub(struct attr *attr)
UNSET_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_LARGE_COMMUNITIES)); UNSET_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_LARGE_COMMUNITIES));
if (attr->cluster) if (attr->cluster)
cluster_unintern(attr->cluster); cluster_unintern(&attr->cluster);
UNSET_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_CLUSTER_LIST)); UNSET_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_CLUSTER_LIST));
if (attr->transit) if (attr->transit)

1
bgpd/bgp_attr.h
View File

@ -335,7 +335,6 @@ extern unsigned long int attr_unknown_count(void);
/* Cluster list prototypes. */ /* Cluster list prototypes. */
extern bool cluster_loop_check(struct cluster_list *, struct in_addr); extern bool cluster_loop_check(struct cluster_list *, struct in_addr);
extern void cluster_unintern(struct cluster_list *);
/* Below exported for unit-test purposes only */ /* Below exported for unit-test purposes only */
struct bgp_attr_parser_args { struct bgp_attr_parser_args {