diff options
| author | Carmine Scarpitta <carmine.scarpitta@uniroma2.it> | 2022-11-18 13:19:14 +0100 |
|---|---|---|
| committer | Carmine Scarpitta <carmine.scarpitta@uniroma2.it> | 2022-11-18 13:19:14 +0100 |
| commit | 22efe557f148ae43f8a7732bd0865eb3f17ad67c (patch) | |
| tree | 1ad810280e6c17087744e27771615af1b1758916 /zebra | |
| parent | Merge pull request #12309 from proelbtn/bgpd-fix-mpls-vpn-advertisement (diff) | |
| download | frr-22efe557f148ae43f8a7732bd0865eb3f17ad67c.tar.xz frr-22efe557f148ae43f8a7732bd0865eb3f17ad67c.zip | |
zebra: Fix use-after-free issue in srte cleanup
Currently, in `zebra_srte_client_close_cleanup` we use the `RB_FOREACH`
macro to traverse the SR policies tree. We remove the SR policies within
the loop. Removing elements from the tree and freeing them is not safe
and causes a use-after-free crash whenever the
`zebra_srte_client_close_cleanup` is called to perform cleanup.
This commit replaces the `RB_FOREACH` macro with its variant
`RB_FOREACH_SAFE`. Unlike `RB_FOREACH`, `RB_FOREACH_SAFE` permits both
the removal of tree elements as well as freeing them from within the
loop safely.
Signed-off-by: Carmine Scarpitta <carmine.scarpitta@uniroma2.it>
Diffstat (limited to 'zebra')
| -rw-r--r-- | zebra/zebra_srte.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/zebra/zebra_srte.c b/zebra/zebra_srte.c index 7d95607fc..746158c4b 100644 --- a/zebra/zebra_srte.c +++ b/zebra/zebra_srte.c @@ -387,13 +387,13 @@ int zebra_sr_policy_label_update(mpls_label_t label, static int zebra_srte_client_close_cleanup(struct zserv *client) { int sock = client->sock; - struct zebra_sr_policy *policy; + struct zebra_sr_policy *policy, *policy_temp; if (!sock) return 0; - RB_FOREACH (policy, zebra_sr_policy_instance_head, - &zebra_sr_policy_instances) { + RB_FOREACH_SAFE (policy, zebra_sr_policy_instance_head, + &zebra_sr_policy_instances, policy_temp) { if (policy->sock == sock) zebra_sr_policy_del(policy); } |