diff options
| author | Donald Sharp <sharpd@nvidia.com> | 2020-11-27 00:23:57 +0100 |
|---|---|---|
| committer | Donald Sharp <sharpd@nvidia.com> | 2020-11-27 00:28:48 +0100 |
| commit | 91191fa233b9478ba0d15c1a89fd02b44bead03b (patch) | |
| tree | ff9d6c786415d9894c6f34ae1a6ea3d8f673b757 /ldpd/ldpe.c | |
| parent | Merge pull request #7603 from donaldsharp/ospf_crash_fix (diff) | |
| download | frr-91191fa233b9478ba0d15c1a89fd02b44bead03b.tar.xz frr-91191fa233b9478ba0d15c1a89fd02b44bead03b.zip | |
ldpd: Prevent usage after free
error 26-Nov-2020 14:35:02 ERROR: AddressSanitizer: heap-use-after-free on address 0x631000024838 at pc 0x55cefae977e9 bp 0x7ffdd3546860 sp 0x7ffdd3546850
error 26-Nov-2020 14:35:02 READ of size 4 at 0x631000024838 thread T0
error 26-Nov-2020 14:35:02 #0 0x55cefae977e8 in ldpe_imsg_compose_parent_sync ldpd/ldpe.c:256
error 26-Nov-2020 14:35:02 #1 0x55cefae9ab13 in vlog ldpd/log.c:53
error 26-Nov-2020 14:35:02 #2 0x55cefae9b21f in log_info ldpd/log.c:102
error 26-Nov-2020 14:35:02 #3 0x55cefae96eae in ldpe_shutdown ldpd/ldpe.c:237
error 26-Nov-2020 14:35:02 #4 0x55cefae99254 in ldpe_dispatch_main ldpd/ldpe.c:585
error 26-Nov-2020 14:35:02 #5 0x55cefaf93875 in thread_call lib/thread.c:1681
error 26-Nov-2020 14:35:02 #6 0x55cefae97304 in ldpe ldpd/ldpe.c:136
error 26-Nov-2020 14:35:02 #7 0x55cefae5a2e2 in main ldpd/ldpd.c:322
error 26-Nov-2020 14:35:02 #8 0x7f4ef0c33b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
error 26-Nov-2020 14:35:02 #9 0x55cefae525e9 in _start (/usr/lib/frr/ldpd+0xb35e9)
error 26-Nov-2020 14:35:02
error 26-Nov-2020 14:35:02 0x631000024838 is located 65592 bytes inside of 65632-byte region [0x631000014800,0x631000024860)
error 26-Nov-2020 14:35:02 freed by thread T0 here:
error 26-Nov-2020 14:35:02 #0 0x7f4ef21e37a8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8)
error 26-Nov-2020 14:35:02 #1 0x55cefae96e91 in ldpe_shutdown ldpd/ldpe.c:234
error 26-Nov-2020 14:35:02 #2 0x55cefae99254 in ldpe_dispatch_main ldpd/ldpe.c:585
error 26-Nov-2020 14:35:02 #3 0x55cefaf93875 in thread_call lib/thread.c:1681
error 26-Nov-2020 14:35:02 #4 0x55cefae97304 in ldpe ldpd/ldpe.c:136
error 26-Nov-2020 14:35:02 #5 0x55cefae5a2e2 in main ldpd/ldpd.c:322
error 26-Nov-2020 14:35:02 #6 0x7f4ef0c33b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
error 26-Nov-2020 14:35:02
error 26-Nov-2020 14:35:02 previously allocated by thread T0 here:
error 26-Nov-2020 14:35:02 #0 0x7f4ef21e3d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28)
error 26-Nov-2020 14:35:02 #1 0x55cefae9725d in ldpe ldpd/ldpe.c:127
error 26-Nov-2020 14:35:02 #2 0x55cefae5a2e2 in main ldpd/ldpd.c:322
error 26-Nov-2020 14:35:02 #3 0x7f4ef0c33b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
Clean this problem up in the same way as the previous commit
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
Diffstat (limited to 'ldpd/ldpe.c')
| -rw-r--r-- | ldpd/ldpe.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/ldpd/ldpe.c b/ldpd/ldpe.c index ffc1d17f5..f3f8b8510 100644 --- a/ldpd/ldpe.c +++ b/ldpd/ldpe.c @@ -49,6 +49,7 @@ struct ldpd_conf *leconf; struct ldpd_sysdep sysdep; #endif +static struct imsgev iev_main_data; static struct imsgev *iev_main, *iev_main_sync; static struct imsgev *iev_lde; #ifdef __OpenBSD__ @@ -124,8 +125,8 @@ ldpe(void) &iev_main->ev_read); iev_main->handler_write = ldp_write_handler; - if ((iev_main_sync = calloc(1, sizeof(struct imsgev))) == NULL) - fatal(NULL); + memset(&iev_main_data, 0, sizeof(iev_main_data)); + iev_main_sync = &iev_main_data; imsg_init(&iev_main_sync->ibuf, LDPD_FD_SYNC); /* create base configuration */ @@ -231,7 +232,6 @@ ldpe_shutdown(void) if (iev_lde) free(iev_lde); free(iev_main); - free(iev_main_sync); free(pkt_ptr); log_info("ldp engine exiting"); |