zebra: fix head-after-free when accessing NHE dependencies #17072
+1
−0
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
After having refreshed a recursive protocol NHG, a heaf after free happens on the NHG dependencies. > READ of size 4 at 0x60e000074cc0 thread T0 > #0 0x555ea629eef0 in zebra_nhg_decrement_ref zebra/zebra_nhg.c:1904 > FRRouting#1 0x555ea62a2748 in zebra_nhg_proto_add zebra/zebra_nhg.c:3981 > FRRouting#2 0x555ea62ccf6c in process_subq_nhg zebra/zebra_rib.c:2737 > FRRouting#3 0x555ea62ccf6c in process_subq zebra/zebra_rib.c:3342 > FRRouting#4 0x555ea62ccf6c in meta_queue_process zebra/zebra_rib.c:3395 > FRRouting#5 0x7fd799f1207f in work_queue_run lib/workqueue.c:282 > FRRouting#6 0x7fd799ef3d3b in event_call lib/event.c:2011 > FRRouting#7 0x7fd799e1b897 in frr_run lib/libfrr.c:1212 > FRRouting#8 0x555ea61860b6 in main zebra/main.c:533 > FRRouting#9 0x7fd799829d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > FRRouting#10 0x7fd799829e3f in __libc_start_main_impl ../csu/libc-start.c:392 > FRRouting#11 0x555ea6188ed4 in _start (/usr/lib/frr/zebra+0x1b4ed4) > > 0x60e000074cc0 is located 96 bytes inside of 160-byte region [0x60e000074c60,0x60e000074d00) > freed by thread T0 here: > #0 0x7fd79a2b4537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127 > FRRouting#1 0x555ea629ef69 in nhg_connected_tree_decrement_ref zebra/zebra_nhg.c:187 > FRRouting#2 0x555ea629eec7 in zebra_nhg_decrement_ref zebra/zebra_nhg.c:1920 > FRRouting#3 0x555ea62bc110 in route_entry_update_nhe zebra/zebra_rib.c:454 > FRRouting#4 0x555ea62bc3fb in rib_handle_nhg_replace zebra/zebra_rib.c:478 > FRRouting#5 0x555ea62a22f8 in zebra_nhg_proto_add zebra/zebra_nhg.c:3966 Actually, 'debug zebra nexthop detail' is enabled and tries to display nhg_depend list whose NHE have been previously flushed. Fix this by removing the nhg_depends list itself, before sending it to zebra_nhg_free(). Signed-off-by: Philippe Guibert <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
After having refreshed a recursive protocol NHG, a heaf after free happens on the NHG dependencies.
Actually, 'debug zebra nexthop detail' is enabled and tries to display nhg_depend list whose NHE have been previously flushed. Fix this by removing the nhg_depends list itself, before sending it to zebra_nhg_free().