[PATCH] Fix protocol memory use free under certrain configure/undo cases

Ondrej Zajicek santiago at crfreenet.org
Mon May 5 11:04:57 CEST 2014


On Mon, May 05, 2014 at 10:28:03AM +0300, Sergey Popovich wrote:
> It is possible to cause BIRD to use after free memory block, allocated
> to the protocol in the following conditions:

Hi

Thanks for the bugreport and the patch.

> diff --git a/nest/proto.c b/nest/proto.c
> index edb490f..c21be85 100644
> --- a/nest/proto.c
> +++ b/nest/proto.c
> @@ -599,7 +599,10 @@ proto_rethink_goal(struct proto *p)
>        rem_node(&p->glob_node);
>        mb_free(p);
>        if (!nc)
> -	return;
> +        {
> +          p->cf->global->proto = NULL;

I guess here should be p->cf->proto (there is no proto in p->cf->global).

It is probably better to move it unconditionally before
config_del_obstacle(), like in attached patch.

-- 
Elen sila lumenn' omentielvo

Ondrej 'SanTiago' Zajicek (email: santiago at crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fix_undo.patch
Type: text/x-diff
Size: 406 bytes
Desc: not available
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20140505/b93ab609/attachment-0001.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20140505/b93ab609/attachment-0001.asc>


More information about the Bird-users mailing list