Merge pull request #681 (ASAN warnings)

Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
author: David Lamparter <equinox@opensourcerouting.org> 2017-06-13 17:16:24 +0200
committer: David Lamparter <equinox@opensourcerouting.org> 2017-06-13 17:16:24 +0200
commit: 98f65fda88e54c0c1ae3060124c5bcf62bb01796 (patch)
tree: 2c24c1ace32a97103bf1f24edfd30590e3f7373a
parent: Merge pull request #688 from opensourcerouting/openbsd-mpls-fixes (diff)
parent: isisd: fix heap uaf, round 2 (diff)
download: frr-98f65fda88e54c0c1ae3060124c5bcf62bb01796.tar.xz
frr-98f65fda88e54c0c1ae3060124c5bcf62bb01796.zip
5 files changed, 58 insertions, 32 deletions
diff --git a/isisd/isis_adjacency.c b/isisd/isis_adjacency.c
index f55092487..382193092 100644
--- a/isisd/isis_adjacency.c
+++ b/isisd/isis_adjacency.c
@@ -178,6 +178,7 @@ isis_adj_state_change (struct isis_adjacency *adj, enum isis_adj_state new_state
   int old_state;
   int level;
   struct isis_circuit *circuit;
+  bool del;
 
   old_state = adj->adj_state;
   adj->adj_state = new_state;
@@ -212,6 +213,7 @@ isis_adj_state_change (struct isis_adjacency *adj, enum isis_adj_state new_state
 
   if (circuit->circ_type == CIRCUIT_T_BROADCAST)
     {
+      del = false;
       for (level = IS_LEVEL_1; level <= IS_LEVEL_2; level++)
       {
         if ((adj->level & level) == 0)
@@ -235,7 +237,7 @@ isis_adj_state_change (struct isis_adjacency *adj, enum isis_adj_state new_state
                 list_delete_all_node (circuit->lsp_queue);
             }
           isis_event_adjacency_state_change (adj, new_state);
-          isis_delete_adj (adj);
+          del = true;
         }
 
         if (circuit->u.bc.lan_neighs[level - 1])
@@ -249,9 +251,15 @@ isis_adj_state_change (struct isis_adjacency *adj, enum isis_adj_state new_state
         if (circuit->u.bc.is_dr[level - 1])
           lsp_regenerate_schedule_pseudo (circuit, level);
       }
+
+      if (del)
+        isis_delete_adj (adj);
+
+      adj = NULL;
     }
   else if (circuit->circ_type == CIRCUIT_T_P2P)
     {
+      del = false;
       for (level = IS_LEVEL_1; level <= IS_LEVEL_2; level++)
       {
         if ((adj->level & level) == 0)
@@ -284,9 +292,14 @@ isis_adj_state_change (struct isis_adjacency *adj, enum isis_adj_state new_state
                 list_delete_all_node (circuit->lsp_queue);
             }
           isis_event_adjacency_state_change (adj, new_state);
-          isis_delete_adj (adj);
+          del = true;
         }
       }
+
+      if (del)
+        isis_delete_adj (adj);
+
+      adj = NULL;
     }
 
   return;
diff --git a/ospf6d/ospf6_intra.c b/ospf6d/ospf6_intra.c
index 5dd10b4c7..80e67ea2a 100644
--- a/ospf6d/ospf6_intra.c
+++ b/ospf6d/ospf6_intra.c
@@ -1621,6 +1621,7 @@ ospf6_intra_brouter_calculation (struct ospf6_area *oa)
             zlog_info ("brouter %s disappears via area %s",
                        brouter_name, oa->name);
           ospf6_route_remove (brouter, oa->ospf6->brouter_table);
+          brouter = NULL;
         }
       else if (CHECK_FLAG (brouter->flag, OSPF6_ROUTE_ADD) ||
                CHECK_FLAG (brouter->flag, OSPF6_ROUTE_CHANGE))
@@ -1644,8 +1645,12 @@ ospf6_intra_brouter_calculation (struct ospf6_area *oa)
           /* But re-originate summaries */
 	  ospf6_abr_originate_summary (brouter);
         }
-      UNSET_FLAG (brouter->flag, OSPF6_ROUTE_ADD);
-      UNSET_FLAG (brouter->flag, OSPF6_ROUTE_CHANGE);
+
+      if (brouter)
+        {
+          UNSET_FLAG (brouter->flag, OSPF6_ROUTE_ADD);
+          UNSET_FLAG (brouter->flag, OSPF6_ROUTE_CHANGE);
+        }
     }
 
   if (IS_OSPF6_DEBUG_BROUTER_SPECIFIC_AREA_ID (oa->area_id))
diff --git a/ospfd/ospf_spf.c b/ospfd/ospf_spf.c
index 31f0d9d28..e080a1bd5 100644
--- a/ospfd/ospf_spf.c
+++ b/ospfd/ospf_spf.c
@@ -63,33 +63,6 @@ ospf_spf_set_reason (ospf_spf_reason_t reason)
   spf_reason_flags |= 1 << reason;
 }
 
-static void
-ospf_get_spf_reason_str (char *buf)
-{
-  if (!buf)
-   return;
- 
-  buf[0] = '\0';
-  if (spf_reason_flags)
-    {
-      if (spf_reason_flags & SPF_FLAG_ROUTER_LSA_INSTALL)
-        strcat (buf, "R, ");
-      if (spf_reason_flags & SPF_FLAG_NETWORK_LSA_INSTALL)
-        strcat (buf, "N, ");
-      if (spf_reason_flags & SPF_FLAG_SUMMARY_LSA_INSTALL)
-        strcat (buf, "S, ");
-      if (spf_reason_flags & SPF_FLAG_ASBR_SUMMARY_LSA_INSTALL)
-        strcat (buf, "AS, ");
-      if (spf_reason_flags & SPF_FLAG_ABR_STATUS_CHANGE)
-        strcat (buf, "ABR, ");
-      if (spf_reason_flags & SPF_FLAG_ASBR_STATUS_CHANGE)
-        strcat (buf, "ASBR, ");
-      if (spf_reason_flags & SPF_FLAG_MAXAGE)
-        strcat (buf, "M, ");
-      buf[strlen(buf)-2] = '\0'; /* skip the last ", " */
-    }
-}
-
 static void ospf_vertex_free (void *);
 /* List of allocated vertices, to simplify cleanup of SPF.
  * Not thread-safe obviously. If it ever needs to be, it'd have to be
@@ -1384,7 +1357,30 @@ ospf_spf_calculate_timer (struct thread *thread)
 
   total_spf_time = monotime_since(&spf_start_time, &ospf->ts_spf_duration);
 
-  ospf_get_spf_reason_str (rbuf);
+  rbuf[0] = '\0';
+  if (spf_reason_flags)
+    {
+      if (spf_reason_flags & SPF_FLAG_ROUTER_LSA_INSTALL)
+        strncat (rbuf, "R, ", sizeof(rbuf) - strlen(rbuf) - 1);
+      if (spf_reason_flags & SPF_FLAG_NETWORK_LSA_INSTALL)
+        strncat (rbuf, "N, ", sizeof(rbuf) - strlen(rbuf) - 1);
+      if (spf_reason_flags & SPF_FLAG_SUMMARY_LSA_INSTALL)
+        strncat (rbuf, "S, ", sizeof(rbuf) - strlen(rbuf) - 1);
+      if (spf_reason_flags & SPF_FLAG_ASBR_SUMMARY_LSA_INSTALL)
+        strncat (rbuf, "AS, ", sizeof(rbuf) - strlen(rbuf) - 1);
+      if (spf_reason_flags & SPF_FLAG_ABR_STATUS_CHANGE)
+        strncat (rbuf, "ABR, ", sizeof(rbuf) - strlen(rbuf) - 1);
+      if (spf_reason_flags & SPF_FLAG_ASBR_STATUS_CHANGE)
+        strncat (rbuf, "ASBR, ", sizeof(rbuf) - strlen(rbuf) - 1);
+      if (spf_reason_flags & SPF_FLAG_MAXAGE)
+        strncat (rbuf, "M, ", sizeof(rbuf) - strlen(rbuf) - 1);
+
+      size_t rbuflen = strlen(rbuf);
+      if (rbuflen >= 2)
+        rbuf[rbuflen - 2] = '\0'; /* skip the last ", " */
+      else
+        rbuf[0] = '\0';
+    }
 
   if (IS_DEBUG_OSPF_EVENT)
     {
diff --git a/ripngd/ripngd.c b/ripngd/ripngd.c
index 8ea66517c..a50204ae3 100644
--- a/ripngd/ripngd.c
+++ b/ripngd/ripngd.c
@@ -2971,6 +2971,9 @@ ripng_clean()
     XFREE (MTYPE_ROUTE_TABLE, ripng->route);
     XFREE (MTYPE_ROUTE_TABLE, ripng->aggregate);
 
+    stream_free (ripng->ibuf);
+    stream_free (ripng->obuf);
+
     XFREE (MTYPE_RIPNG, ripng);
     ripng = NULL;
   } /* if (ripng) */
diff --git a/zebra/zserv.c b/zebra/zserv.c
index 533678f16..9beae9232 100644
--- a/zebra/zserv.c
+++ b/zebra/zserv.c
@@ -2000,6 +2000,15 @@ zebra_client_close (struct zserv *client)
   if (client->t_suicide)
     thread_cancel (client->t_suicide);
 
+  /* Free bitmaps. */
+  for (afi_t afi = AFI_IP; afi < AFI_MAX; afi++)
+    for (int i = 0; i < ZEBRA_ROUTE_MAX; i++)
+      vrf_bitmap_free (client->redist[afi][i]);
+
+  vrf_bitmap_free (client->redist_default);
+  vrf_bitmap_free (client->ifinfo);
+  vrf_bitmap_free (client->ridinfo);
+
   /* Free client structure. */
   listnode_delete (zebrad.client_list, client);
   XFREE (MTYPE_TMP, client);
author	David Lamparter <equinox@opensourcerouting.org>	2017-06-13 17:16:24 +0200
committer	David Lamparter <equinox@opensourcerouting.org>	2017-06-13 17:16:24 +0200
commit	98f65fda88e54c0c1ae3060124c5bcf62bb01796 (patch)
tree	2c24c1ace32a97103bf1f24edfd30590e3f7373a
parent	Merge pull request #688 from opensourcerouting/openbsd-mpls-fixes (diff)
parent	isisd: fix heap uaf, round 2 (diff)
download	frr-98f65fda88e54c0c1ae3060124c5bcf62bb01796.tar.xz frr-98f65fda88e54c0c1ae3060124c5bcf62bb01796.zip