zebra: fix iptable install heap UAF

My previous patch to fix a memory leak, caused by not properly freeing the iptable iface list on stream parse failure, created/exposed a heap use after free because we were not doing a deep copy Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>
author: Quentin Young <qlyoung@cumulusnetworks.com> 2020-01-14 07:18:44 +0100
committer: Quentin Young <qlyoung@cumulusnetworks.com> 2020-01-15 20:19:56 +0100
commit: 592af4cc0aa25dd3f5d3a3d8fc4f0ae1f681ae74 (patch)
tree: a6694dc91024ad74c6988d9e1c2939b64f23aedc /zebra/zebra_pbr.c
parent: Merge pull request #5666 from donaldsharp/more_nhg_fixes (diff)
download: frr-592af4cc0aa25dd3f5d3a3d8fc4f0ae1f681ae74.tar.xz
frr-592af4cc0aa25dd3f5d3a3d8fc4f0ae1f681ae74.zip
1 files changed, 10 insertions, 0 deletions
diff --git a/zebra/zebra_pbr.c b/zebra/zebra_pbr.c
index 0c3adcdfa..fe7a93a50 100644
--- a/zebra/zebra_pbr.c
+++ b/zebra/zebra_pbr.c
@@ -652,12 +652,22 @@ static void *pbr_iptable_alloc_intern(void *arg)
 {
 	struct zebra_pbr_iptable *zpi;
 	struct zebra_pbr_iptable *new;
+	struct listnode *ln;
+	char *ifname;
 
 	zpi = (struct zebra_pbr_iptable *)arg;
 
 	new = XCALLOC(MTYPE_TMP, sizeof(struct zebra_pbr_iptable));
 
+	/* Deep structure copy */
 	memcpy(new, zpi, sizeof(*zpi));
+	new->interface_name_list = list_new();
+
+	if (zpi->interface_name_list) {
+		for (ALL_LIST_ELEMENTS_RO(zpi->interface_name_list, ln, ifname))
+			listnode_add(new->interface_name_list,
+				     XSTRDUP(MTYPE_PBR_IPTABLE_IFNAME, ifname));
+	}
 
 	return new;
 }
author	Quentin Young <qlyoung@cumulusnetworks.com>	2020-01-14 07:18:44 +0100
committer	Quentin Young <qlyoung@cumulusnetworks.com>	2020-01-15 20:19:56 +0100
commit	592af4cc0aa25dd3f5d3a3d8fc4f0ae1f681ae74 (patch)
tree	a6694dc91024ad74c6988d9e1c2939b64f23aedc /zebra/zebra_pbr.c
parent	Merge pull request #5666 from donaldsharp/more_nhg_fixes (diff)
download	frr-592af4cc0aa25dd3f5d3a3d8fc4f0ae1f681ae74.tar.xz frr-592af4cc0aa25dd3f5d3a3d8fc4f0ae1f681ae74.zip