Skip to content

Commit

Permalink
bgpd: Prevent use after free in the bnc structure
Browse files Browse the repository at this point in the history 
When deleting a unnumbered peer *and* in the process the LL address
is being removed there exists a case where the old peer data structure
would be left on the bnc->nht_info pointer.  This leads to cases where
when the nexthop resolution is also changing that there are use after
free operations.

Address Sanitizer that lead me to this:

=================================================================
==1018==ERROR: AddressSanitizer: heap-use-after-free on address 0x62a000480480 at pc 0x556ded4d78c1 bp 0x7ffef0306fb0 sp 0x7ffef0306fa8
READ of size 8 at 0x62a000480480 thread T0
    #0 0x556ded4d78c0 in bgp_parse_nexthop_update bgpd/bgp_nht.c:431
    #1 0x556ded5b296a in bgp_read_nexthop_update bgpd/bgp_zebra.c:105
    #2 0x7f2c9be1aa85 in zclient_read lib/zclient.c:3570
    #3 0x7f2c9bde766d in thread_call lib/thread.c:1585
    #4 0x7f2c9bd634e7 in frr_run lib/libfrr.c:1123
    #5 0x556ded409a15 in main bgpd/bgp_main.c:540
    #6 0x7f2c9b81d09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #7 0x556ded40c7f9 in _start (/usr/lib/frr/bgpd+0xe27f9)

0x62a000480480 is located 640 bytes inside of 23376-byte region [0x62a000480200,0x62a000485d50)
freed by thread T0 here:
    #0 0x7f2c9c026fb0 in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0xe8fb0)
    #1 0x556ded5d3e42 in peer_free bgpd/bgpd.c:1113
    #2 0x556ded5d3e42 in peer_unlock_with_caller bgpd/bgpd.c:1144
    #3 0x556ded5d492e in peer_delete bgpd/bgpd.c:2457
    #4 0x556ded569e97 in no_neighbor_interface_config bgpd/bgp_vty.c:4267
    #5 0x7f2c9bd0a160 in cmd_execute_command_real lib/command.c:949
    #6 0x7f2c9bd0e112 in cmd_execute_command lib/command.c:1009
    #7 0x7f2c9bd0e573 in cmd_execute lib/command.c:1162
    #8 0x7f2c9bdf4402 in vty_command lib/vty.c:526
    #9 0x7f2c9bdf4832 in vty_execute lib/vty.c:1291
    #10 0x7f2c9bdfb741 in vtysh_read lib/vty.c:2130
    #11 0x7f2c9bde766d in thread_call lib/thread.c:1585
    #12 0x7f2c9bd634e7 in frr_run lib/libfrr.c:1123
    #13 0x556ded409a15 in main bgpd/bgp_main.c:540
    #14 0x7f2c9b81d09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)

Signed-off-by: Donald Sharp <sharpd@nvidia.com>
  • Loading branch information
@donaldsharp
donaldsharp committed Nov 29, 2022
1 parent 2c8c1df commit b1da62d
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions bgpd/bgp_fsm.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1586,6 +1586,7 @@ int bgp_stop(struct peer *peer)
peer_delete(peer);
ret = -1;
} else {
bgp_unlink_nexthop_by_peer(peer);
bgp_peer_conf_if_to_su_update(peer);
}
return ret;
Expand Down

0 comments on commit b1da62d

Please sign in to comment.