summaryrefslogtreecommitdiffstats
path: root/vrrpd
diff options
context:
space:
mode:
authorQuentin Young <qlyoung@cumulusnetworks.com>2020-06-02 21:33:05 +0200
committerQuentin Young <qlyoung@nvidia.com>2020-08-11 20:26:33 +0200
commitee723e13825920376a3938a5e3c0b355b4861e4a (patch)
treed737eaf0a9143ea03b8aff1ab0fbffdfe23a6ec5 /vrrpd
parentMerge pull request #6893 from DmitriyEshenko/dmvpn-example (diff)
downloadfrr-ee723e13825920376a3938a5e3c0b355b4861e4a.tar.xz
frr-ee723e13825920376a3938a5e3c0b355b4861e4a.zip
vrrpd: don't allow autocreated vr's in NB layer
Changing properties on an autoconfigured VRRP instance results in its pointer being stored as a userdata in the NB tree, leading to UAF when autoconfigure deletes the instance and then later NB operations take place using the now-stale pointer. Ticket: CM-29850 Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>
Diffstat (limited to 'vrrpd')
-rw-r--r--vrrpd/vrrp_northbound.c16
1 files changed, 13 insertions, 3 deletions
diff --git a/vrrpd/vrrp_northbound.c b/vrrpd/vrrp_northbound.c
index e9cd714a9..ad6775dd3 100644
--- a/vrrpd/vrrp_northbound.c
+++ b/vrrpd/vrrp_northbound.c
@@ -40,12 +40,22 @@ static int lib_interface_vrrp_vrrp_group_create(struct nb_cb_create_args *args)
uint8_t version = 3;
struct vrrp_vrouter *vr;
- if (args->event != NB_EV_APPLY)
- return NB_OK;
-
ifp = nb_running_get_entry(args->dnode, NULL, true);
vrid = yang_dnode_get_uint8(args->dnode, "./virtual-router-id");
version = yang_dnode_get_enum(args->dnode, "./version");
+
+ switch (event) {
+ case NB_EV_VALIDATE:
+ vr = vrrp_lookup(ifp, vrid);
+ if (vr && vr->autoconf)
+ return NB_ERR_VALIDATION;
+ case NB_EV_PREPARE:
+ case NB_EV_ABORT:
+ return NB_OK;
+ case NB_EV_APPLY:
+ break;
+ }
+
vr = vrrp_vrouter_create(ifp, vrid, version);
nb_running_set_entry(args->dnode, vr);