proxmox-mirrors/mirror_frr
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_frr synced 2025-05-29 15:07:51 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
c531be7c94
mirror_frr/zebra
History
Donald Sharp 5f27bcba2a zebra: Fix use after free in rib_process_result 
Running zebra after commit 888756b208
in valgrind produces this item:

==17102== Invalid read of size 8
==17102==    at 0x44D84C: rib_dest_from_rnode (rib.h:375)
==17102==    by 0x4546ED: rib_process_result (zebra_rib.c:1904)
==17102==    by 0x45436D: rib_process_dplane_results (zebra_rib.c:3295)
==17102==    by 0x4D0902B: thread_call (thread.c:1607)
==17102==    by 0x4CC3983: frr_run (libfrr.c:1011)
==17102==    by 0x4266F6: main (main.c:473)
==17102==  Address 0x83bd468 is 88 bytes inside a block of size 96 free'd
==17102==    at 0x4A35F54: free (vg_replace_malloc.c:530)
==17102==    by 0x4CCAC00: qfree (memory.c:129)
==17102==    by 0x4D03DC6: route_node_destroy (table.c:501)
==17102==    by 0x4D039EE: route_node_free (table.c:90)
==17102==    by 0x4D03971: route_node_delete (table.c:382)
==17102==    by 0x44D82A: route_unlock_node (table.h:256)
==17102==    by 0x454617: rib_process_result (zebra_rib.c:1882)
==17102==    by 0x45436D: rib_process_dplane_results (zebra_rib.c:3295)
==17102==    by 0x4D0902B: thread_call (thread.c:1607)
==17102==    by 0x4CC3983: frr_run (libfrr.c:1011)
==17102==    by 0x4266F6: main (main.c:473)
==17102==  Block was alloc'd at
==17102==    at 0x4A36FF6: calloc (vg_replace_malloc.c:752)
==17102==    by 0x4CCAA2D: qcalloc (memory.c:110)
==17102==    by 0x4D03D88: route_node_create (table.c:489)
==17102==    by 0x4D0360F: route_node_new (table.c:65)
==17102==    by 0x4D034F8: route_node_set (table.c:74)
==17102==    by 0x4D03486: route_node_get (table.c:327)
==17102==    by 0x4CFB700: srcdest_rnode_get (srcdest_table.c:243)
==17102==    by 0x4545C1: rib_process_result (zebra_rib.c:1872)
==17102==    by 0x45436D: rib_process_dplane_results (zebra_rib.c:3295)
==17102==    by 0x4D0902B: thread_call (thread.c:1607)
==17102==    by 0x4CC3983: frr_run (libfrr.c:1011)
==17102==    by 0x4266F6: main (main.c:473)
==17102==

This is happening because of this order of events:

1) Route is deleted in the main thread and scheduled for rib processing.
2) Rib garbage collection is run and we remove the route node since it
is no longer needed.
3) Data plane returns from the deletion in the kernel and we call
the srcdest_rnode_get function to get the prefix that was deleted.
This recreates a new route node.  This creates a route_node with
a lock count of 1, which we freed via the route_unlock_node call.
Then we continued to use the rn pointer.  Which leaves us with use
after frees.

The solution is, of course, to just move the unlock the node at the
end of the function if we have a route_node.

Fixes: #3854
Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
2019-02-23 20:03:48 -05:00
..
.gitignore *: cleanup .gitignore files 2018-09-08 21:30:42 +02:00
connected.c zebra: set connected route metric based on the devaddr metric 2019-01-25 14:19:26 -05:00
connected.h zebra: set connected route metric based on the devaddr metric 2019-01-25 14:19:26 -05:00
debug.c zebra: Add code to allow us to add debug for mlag 2019-01-31 09:20:46 -05:00
debug.h zebra: Add code to allow us to add debug for mlag 2019-01-31 09:20:46 -05:00
if_ioctl_solaris.c zebra: set connected route metric based on the devaddr metric 2019-01-25 14:19:26 -05:00
if_ioctl.c zebra: set connected route metric based on the devaddr metric 2019-01-25 14:19:26 -05:00
if_netlink.c zebra: Use the kernel flags from the IFA_FLAGS if it is available 2019-01-28 16:29:55 -05:00
if_netlink.h zebra: Remove unnecessary function parameter 2018-05-24 09:14:43 -04:00
if_sysctl.c *: spelchek 2018-10-25 20:10:57 +02:00
interface.c Merge pull request #3723 from slrz/zebra-rtadv-add-rfc8106-support 2019-02-12 14:30:00 +01:00
interface.h zebra: support DNS configuration options in rtadv 2019-02-02 19:10:19 +01:00
ioctl_solaris.c *: LIB_[ERR|WARN] -> EC_LIB 2018-09-13 19:34:28 +00:00
ioctl_solaris.h *: reindent 2017-07-17 14:04:07 +02:00
ioctl.c zebra: don't log errors on unsupported medias 2018-12-05 17:22:56 -02:00
ioctl.h *: use C99 standard fixed-width integer types 2018-03-27 15:13:34 -04:00
ipforward_proc.c zebra: fix includes 2018-09-06 20:56:41 +00:00
ipforward_solaris.c *: LIB_[ERR|WARN] -> EC_LIB 2018-09-13 19:34:28 +00:00
ipforward_sysctl.c *: style for EC replacements 2018-09-13 19:38:57 +00:00
ipforward.h *: reindent 2017-07-17 14:04:07 +02:00
irdp_interface.c zebra: Move the master thread handler to the zrouter structure 2019-01-31 09:20:46 -05:00
irdp_main.c zebra: Move the master thread handler to the zrouter structure 2019-01-31 09:20:46 -05:00
irdp_packet.c zebra: Move the master thread handler to the zrouter structure 2019-01-31 09:20:46 -05:00
irdp.h *: use C99 standard fixed-width integer types 2018-03-27 15:13:34 -04:00
kernel_netlink.c zebra: Move the master thread handler to the zrouter structure 2019-01-31 09:20:46 -05:00
kernel_netlink.h zebra: rebase dataplane, align with master 2018-10-25 08:57:04 -04:00
kernel_socket.c zebra: Move the master thread handler to the zrouter structure 2019-01-31 09:20:46 -05:00
kernel_socket.h zebra: cleanup blackhole support 2017-08-28 05:07:51 +02:00
label_manager.c zebra: Move the master thread handler to the zrouter structure 2019-01-31 09:20:46 -05:00
label_manager.h lib, zebra: fix formatting and style 2018-05-08 18:37:05 +02:00
main.c zebra: Remove struct zebra_t 2019-01-31 09:20:46 -05:00
Makefile build: convert zebra/ to non-recursive build 2017-07-31 23:03:30 +02:00
redistribute.c zebra: Remove zclient->idinfo restrictions 2019-02-05 09:13:30 -05:00
redistribute.h zebra: resolve style issues in dplane commit 2018-10-25 08:34:30 -04:00
rib.h zebra: Modify the status flag to 32 bits, add more flags 2019-01-11 11:48:14 -05:00
router-id.c zebra: Remove struct zebra_t 2019-01-31 09:20:46 -05:00
router-id.h
rt_netlink.c Merge pull request #3688 from chiragshah6/evpn_dev 2019-02-05 10:48:33 -05:00
rt_netlink.h Merge pull request #3508 from chiragshah6/evpn_dev2 2019-01-23 13:44:46 -05:00
rt_socket.c zebra: Fix use before initialized 2019-01-25 20:14:38 -05:00
rt.h Merge pull request #3684 from mjstapp/dplane_pw 2019-02-05 18:41:12 -05:00
rtadv.c zebra: Fix CLANG suggestion for braces on init of struct 2019-02-12 15:24:00 -05:00
rtadv.h zebra: support DNS configuration options in rtadv 2019-02-02 19:10:19 +01:00
rtread_getmsg.c zebra: evpn remote delete fetch local entry 2018-12-31 14:40:31 -08:00
rtread_netlink.c zebra: evpn remote delete fetch local entry 2018-12-31 14:40:31 -08:00
rtread_sysctl.c zebra: evpn remote delete fetch local entry 2018-12-31 14:40:31 -08:00
rule_netlink.c zebra: add fwmark information at netlink level 2019-01-29 14:15:51 +01:00
rule_netlink.h zebra: Remove unnecessary function parameter 2018-05-24 09:14:43 -04:00
rule_socket.c zebra: Create zebra_dplane.c and .h 2018-09-19 18:29:55 -04:00
subdir.am zebra: Add code to allow us to add debug for mlag 2019-01-31 09:20:46 -05:00
table_manager.c *: list_delete_and_null() -> list_delete() 2018-10-02 11:40:52 +02:00
table_manager.h zebra: use hooks for client lifecycle callbacks 2018-04-22 22:50:24 -04:00
testrib.conf
zapi_msg.c zebra: advertise svi ip as macip route changes 2019-02-06 19:57:53 -08:00
zapi_msg.h zebra: Add ability to send to all clients updated capability information 2019-01-31 09:28:39 -05:00
zebra_dplane.c Merge pull request #3684 from mjstapp/dplane_pw 2019-02-05 18:41:12 -05:00
zebra_dplane.h zebra: convert PW updates to async dataplane 2019-01-25 10:45:57 -05:00
zebra_errors.c zebra: reject routes without nexthops 2019-01-14 15:58:26 -02:00
zebra_errors.h zebra: reject routes without nexthops 2019-01-14 15:58:26 -02:00
zebra_fpm_dt.c *: use C99 standard fixed-width integer types 2018-03-27 15:13:34 -04:00
zebra_fpm_netlink.c zebra: Use ROUTE_ENTRY_INSTALLED as decision for route is installed 2019-01-25 20:16:15 -05:00
zebra_fpm_private.h *: reindent 2017-07-17 14:04:07 +02:00
zebra_fpm_protobuf.c *: fix clang-6 SA warnings 2018-09-08 20:34:35 +02:00
zebra_fpm.c *: style for EC replacements 2018-09-13 19:38:57 +00:00
zebra_l2.c zebra: Let zebra know about bond and blond slave intf types 2018-11-12 11:40:33 -05:00
zebra_l2.h zebra: Let zebra know about bond and blond slave intf types 2018-11-12 11:40:33 -05:00
zebra_memory.c zebra: prefer DEFINE_MTYPE_STATIC for local memtypes 2019-02-11 21:46:06 +01:00
zebra_memory.h zebra: prefer DEFINE_MTYPE_STATIC for local memtypes 2019-02-11 21:46:06 +01:00
zebra_mlag.c zebra: Add ability to send to all clients updated capability information 2019-01-31 09:28:39 -05:00
zebra_mlag.h zebra: Add a retrieve the mlag role function 2019-01-04 12:21:00 -05:00
zebra_mpls_netlink.c zebra: convert PW updates to async dataplane 2019-01-25 10:45:57 -05:00
zebra_mpls_null.c zebra: convert PW updates to async dataplane 2019-01-25 10:45:57 -05:00
zebra_mpls_openbsd.c zebra: convert PW updates to async dataplane 2019-01-25 10:45:57 -05:00
zebra_mpls_vty.c bgpd, ospfd, pimd, zebra: Convert more use_json locations to bool 2018-09-04 17:39:04 +00:00
zebra_mpls.c zebra: Deletion of a lsp is not a failure event 2019-02-13 12:49:59 -05:00
zebra_mpls.h zebra: move LSP updates into dataplane subsystem 2019-01-22 13:56:48 -05:00
zebra_mroute.c zebra: Add some additional vrf debug for retrieving mroute info 2018-09-17 09:22:31 -04:00
zebra_mroute.h zebra: standardize ZAPI message handler args 2018-03-12 14:57:05 -04:00
zebra_netns_id.c zebra: dead code (Coverity 1465497) 2018-10-02 15:45:44 +02:00
zebra_netns_id.h zebra: upon startup, a NSID is assigned to default netns 2018-02-27 11:11:24 +01:00
zebra_netns_notify.c zebra: Move the master thread handler to the zrouter structure 2019-01-31 09:20:46 -05:00
zebra_netns_notify.h zebra: collect and get netnamespaces information 2018-02-27 11:11:24 +01:00
zebra_ns.c zebra: start the netns notification mechanism after ns initialisation 2019-01-09 18:31:16 +01:00
zebra_ns.h zebra: start the netns notification mechanism after ns initialisation 2019-01-09 18:31:16 +01:00
zebra_pbr.c zebra: Remove _wrap_script from hook names 2018-10-24 06:54:30 -04:00
zebra_pbr.h zebra: Remove _wrap_script from hook names 2018-10-24 06:54:30 -04:00
zebra_ptm_redistribute.c zebra: Remove zclient->idinfo restrictions 2019-02-05 09:13:30 -05:00
zebra_ptm_redistribute.h *: reindent 2017-07-17 14:04:07 +02:00
zebra_ptm.c zebra: Move client_list to the zebra_router data structure 2019-01-31 09:20:46 -05:00
zebra_ptm.h zebra_ptm: Add IS-IS and OpenFabric as protocols supporting BFD 2018-10-05 14:04:27 +02:00
zebra_pw.c Merge pull request #3684 from mjstapp/dplane_pw 2019-02-05 18:41:12 -05:00
zebra_pw.h zebra: convert PW updates to async dataplane 2019-01-25 10:45:57 -05:00
zebra_rib.c zebra: Fix use after free in rib_process_result 2019-02-23 20:03:48 -05:00
zebra_rnh.c zebra: Use ROUTE_ENTRY_INSTALLED as decision for route is installed 2019-01-25 20:16:15 -05:00
zebra_rnh.h zebra: consolidate how we indentify address-families in the NHT code 2019-01-21 13:26:36 -02:00
zebra_routemap.c Merge pull request #3518 from rgirada/routemap_3090 2019-02-05 11:13:22 -05:00
zebra_routemap.h zebra: consolidate how we indentify address-families in the NHT code 2019-01-21 13:26:36 -02:00
zebra_router.c zebra: Move packets_to_process to zrouter 2019-01-31 09:20:46 -05:00
zebra_router.h zebra: Add mlag information to zrouter 2019-01-31 09:20:46 -05:00
zebra_snmp.c *: use C99 standard fixed-width integer types 2018-03-27 15:13:34 -04:00
zebra_vrf.c zebra: Remove struct zebra_t 2019-01-31 09:20:46 -05:00
zebra_vrf.h zebra: advertise svi ip as macip route changes 2019-02-06 19:57:53 -08:00
zebra_vty.c zebra: Do not display recursive nexthops as installed 2019-02-05 15:21:26 -05:00
zebra_vxlan_private.h zebra: advertise svi ip as macip route changes 2019-02-06 19:57:53 -08:00
zebra_vxlan.c zebra: advertise svi ip as macip route changes 2019-02-06 19:57:53 -08:00
zebra_vxlan.h zebra: advertise svi ip as macip route changes 2019-02-06 19:57:53 -08:00
zebra.conf.sample *: Remove cvs control points 2017-12-05 17:28:12 -05:00
zserv.c zebra: Update zserv debug messages to give a bit more useful info 2019-02-10 11:48:14 -05:00
zserv.h zebra: Remove zclient->idinfo restrictions 2019-02-05 09:13:30 -05:00