Skip to content

Commit 01578ed

Browse files
Jafaralzice312963205
Jafaral
authored and
zice312963205
committed
pimd: fix a possible use after free bug when doing pim trace
``` ERROR: AddressSanitizer: heap-use-after-free on address 0x6160000aecf0 at pc 0x5555557ecdb9 bp 0x7fffffffe350 sp 0x7fffffffe340 READ of size 4 at 0x6160000aecf0 thread T0 #0 0x5555557ecdb8 in igmp_source_delete pimd/pim_igmpv3.c:340 FRRouting#1 0x5555557ed475 in igmp_source_delete_expired pimd/pim_igmpv3.c:405 FRRouting#2 0x5555557de574 in igmp_group_timer pimd/pim_igmp.c:1346 FRRouting#3 0x7ffff7275421 in event_call lib/event.c:1996 FRRouting#4 0x7ffff7140797 in frr_run lib/libfrr.c:1237 FRRouting#5 0x5555557f5840 in main pimd/pim_main.c:166 FRRouting#6 0x7ffff6a54082 in __libc_start_main ../csu/libc-start.c:308 FRRouting#7 0x555555686eed in _start (/usr/lib/frr/pimd+0x132eed) 0x6160000aecf0 is located 112 bytes inside of 600-byte region [0x6160000aec80,0x6160000aeed8) freed by thread T0 here: #0 0x7ffff767b40f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122 FRRouting#1 0x7ffff716ed34 in qfree lib/memory.c:131 FRRouting#2 0x5555557169ae in pim_channel_oil_free pimd/pim_oil.c:84 FRRouting#3 0x555555717981 in pim_channel_oil_del pimd/pim_oil.c:199 FRRouting#4 0x55555573c42c in tib_sg_gm_prune pimd/pim_tib.c:196 FRRouting#5 0x5555557d6d04 in igmp_source_forward_stop pimd/pim_igmp.c:229 FRRouting#6 0x5555557d5855 in igmp_anysource_forward_stop pimd/pim_igmp.c:61 FRRouting#7 0x5555557de539 in igmp_group_timer pimd/pim_igmp.c:1344 FRRouting#8 0x7ffff7275421 in event_call lib/event.c:1996 FRRouting#9 0x7ffff7140797 in frr_run lib/libfrr.c:1237 FRRouting#10 0x5555557f5840 in main pimd/pim_main.c:166 FRRouting#11 0x7ffff6a54082 in __libc_start_main ../csu/libc-start.c:308 previously allocated by thread T0 here: #0 0x7ffff767ba06 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153 FRRouting#1 0x7ffff716ebe1 in qcalloc lib/memory.c:106 FRRouting#2 0x555555716eb7 in pim_channel_oil_add pimd/pim_oil.c:133 FRRouting#3 0x55555573b2b9 in tib_sg_oil_setup pimd/pim_tib.c:30 FRRouting#4 0x55555573bdd3 in tib_sg_gm_join pimd/pim_tib.c:119 FRRouting#5 0x5555557d6788 in igmp_source_forward_start pimd/pim_igmp.c:193 FRRouting#6 0x5555557d5771 in igmp_anysource_forward_start pimd/pim_igmp.c:51 FRRouting#7 0x5555557ecaa0 in group_exclude_fwd_anysrc_ifempty pimd/pim_igmpv3.c:310 FRRouting#8 0x5555557ef937 in toex_incl pimd/pim_igmpv3.c:839 FRRouting#9 0x5555557f00a2 in igmpv3_report_toex pimd/pim_igmpv3.c:938 FRRouting#10 0x5555557f543d in igmp_v3_recv_report pimd/pim_igmpv3.c:2000 FRRouting#11 0x5555557da2b4 in pim_igmp_packet pimd/pim_igmp.c:787 FRRouting#12 0x5555556ee46a in process_igmp_packet pimd/pim_mroute.c:763 FRRouting#13 0x5555556ee5f3 in pim_mroute_msg pimd/pim_mroute.c:787 FRRouting#14 0x5555556eef58 in mroute_read pimd/pim_mroute.c:877 FRRouting#15 0x7ffff7275421 in event_call lib/event.c:1996 FRRouting#16 0x7ffff7140797 in frr_run lib/libfrr.c:1237 FRRouting#17 0x5555557f5840 in main pimd/pim_main.c:166 FRRouting#18 0x7ffff6a54082 in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: heap-use-after-free pimd/pim_igmpv3.c:340 in igmp_source_delete Shadow bytes around the buggy address: 0x0c2c8000dd40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2c8000dd50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2c8000dd60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2c8000dd70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2c8000dd80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c2c8000dd90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd 0x0c2c8000dda0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2c8000ddb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2c8000ddc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2c8000ddd0: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa 0x0c2c8000dde0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ``` Signed-off-by: Jafar Al-Gharaibeh <[email protected]>
1 parent fa6ab53 commit 01578ed

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

pimd/pim_tib.c

+1-1
Original file line numberDiff line numberDiff line change
@@ -193,5 +193,5 @@ void tib_sg_gm_prune(struct pim_instance *pim, pim_sgaddr sg,
193193
*/
194194
pim_ifchannel_local_membership_del(oif, &sg);
195195

196-
pim_channel_oil_del(*oilp, __func__);
196+
*oilp = pim_channel_oil_del(*oilp, __func__);
197197
}

0 commit comments

Comments
 (0)