diff options
| author | Renato Westphal <renato@opensourcerouting.org> | 2017-10-10 14:22:41 +0200 |
|---|---|---|
| committer | Renato Westphal <renato@opensourcerouting.org> | 2017-10-10 14:37:31 +0200 |
| commit | 50732983b93cd44f95bbb28b43ea8401c487b9cd (patch) | |
| tree | 67c083125c27a8486e2fb1b83b9a4c6a018367c4 /ldpd/ldpe.c | |
| parent | Merge pull request #1301 from donaldsharp/zebra_vxlan (diff) | |
| download | frr-50732983b93cd44f95bbb28b43ea8401c487b9cd.tar.xz frr-50732983b93cd44f95bbb28b43ea8401c487b9cd.zip | |
ldpd: fix heap-use-after-free at exit
This problems happens because, in this port, whenever the child
processes want to log something they send a message to the parent. But
in the shutdown functions the first thing we do is to close the pipes
to the parent process. With that said, add some protections to prevent
the child processes from trying to use a closed pipe and just ignore
their log messages during shutdown. In the future we need to share
the logging configuration with the child processes so they can send
log messages on their own.
While here, remove some unnecessary calls to msgbuf_write() in
ldpe_shutdown().
Fixes #1253.
Signed-off-by: Renato Westphal <renato@opensourcerouting.org>
Diffstat (limited to 'ldpd/ldpe.c')
| -rw-r--r-- | ldpd/ldpe.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/ldpd/ldpe.c b/ldpd/ldpe.c index 3c8f8135e..9d00bcd2b 100644 --- a/ldpd/ldpe.c +++ b/ldpd/ldpe.c @@ -190,15 +190,16 @@ ldpe_shutdown(void) /* close pipes */ if (iev_lde) { - msgbuf_write(&iev_lde->ibuf.w); msgbuf_clear(&iev_lde->ibuf.w); close(iev_lde->ibuf.fd); + iev_lde->ibuf.fd = -1; } - msgbuf_write(&iev_main->ibuf.w); msgbuf_clear(&iev_main->ibuf.w); close(iev_main->ibuf.fd); + iev_main->ibuf.fd = -1; msgbuf_clear(&iev_main_sync->ibuf.w); close(iev_main_sync->ibuf.fd); + iev_main_sync->ibuf.fd = -1; control_cleanup(ctl_sock_path); config_clear(leconf); @@ -236,12 +237,16 @@ ldpe_shutdown(void) int ldpe_imsg_compose_parent(int type, pid_t pid, void *data, uint16_t datalen) { + if (iev_main->ibuf.fd == -1) + return (0); return (imsg_compose_event(iev_main, type, 0, pid, -1, data, datalen)); } void ldpe_imsg_compose_parent_sync(int type, pid_t pid, void *data, uint16_t datalen) { + if (iev_main_sync->ibuf.fd == -1) + return; imsg_compose_event(iev_main_sync, type, 0, pid, -1, data, datalen); imsg_flush(&iev_main_sync->ibuf); } @@ -250,6 +255,8 @@ int ldpe_imsg_compose_lde(int type, uint32_t peerid, pid_t pid, void *data, uint16_t datalen) { + if (iev_lde->ibuf.fd == -1) + return (0); return (imsg_compose_event(iev_lde, type, peerid, pid, -1, data, datalen)); } |