rpms / quagga

Clone
Source Code
GIT

Blame SOURCES/0001-bgpd-security-Fix-double-free-of-unknown-attribute.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8
  1.   c7
  2.   SOURCES
  3.   0001-bgpd-security-Fix-double-free-of-unknown-attribute.patch
Blob History Raw
509b4b 
From 79fae02a1c621ca7b476dda8194e3bf24f177c89 Mon Sep 17 00:00:00 2001
509b4b 
From: Paul Jakma <paul@jakma.org>
509b4b 
Date: Sat, 6 Jan 2018 19:52:10 +0000
509b4b 
Subject: [PATCH] bgpd/security: Fix double free of unknown attribute
509b4b
509b4b 
Security issue: Quagga-2018-1114
509b4b 
See: https://www.quagga.net/security/Quagga-2018-1114.txt
509b4b
509b4b 
It is possible for bgpd to double-free an unknown attribute. This can happen
509b4b 
via bgp_update_receive receiving an UPDATE with an invalid unknown attribute.
509b4b 
bgp_update_receive then will call bgp_attr_unintern_sub and bgp_attr_flush,
509b4b 
and the latter may try free an already freed unknown attr.
509b4b
509b4b 
* bgpd/bgp_attr.c: (transit_unintern) Take a pointer to the caller's storage
509b4b 
  for the (struct transit *), so that transit_unintern can NULL out the
509b4b 
  caller's reference if the (struct transit) is freed.
509b4b 
  (cluster_unintern) By inspection, appears to have a similar issue.
509b4b 
  (bgp_attr_unintern_sub) adjust for above.
509b4b 
---
509b4b 
 bgpd/bgp_attr.c | 33 +++++++++++++++++++--------------
509b4b 
 bgpd/bgp_attr.h |  4 ++--
509b4b 
 2 files changed, 21 insertions(+), 16 deletions(-)
509b4b
509b4b 
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
509b4b 
index cbf2902d..8eea4ed0 100644
509b4b 
--- a/bgpd/bgp_attr.c
509b4b 
+++ b/bgpd/bgp_attr.c
509b4b 
@@ -183,15 +183,17 @@ cluster_intern (struct cluster_list *cluster)
509b4b 
 }
509b4b
509b4b 
 void
509b4b 
-cluster_unintern (struct cluster_list *cluster)
509b4b 
+cluster_unintern (struct cluster_list **cluster)
509b4b 
 {
509b4b 
-  if (cluster->refcnt)
509b4b 
-    cluster->refcnt--;
509b4b 
+  struct cluster_list *c = *cluster;
509b4b 
+  if (c->refcnt)
509b4b 
+    c->refcnt--;
509b4b
509b4b 
-  if (cluster->refcnt == 0)
509b4b 
+  if (c->refcnt == 0)
509b4b 
     {
509b4b 
-      hash_release (cluster_hash, cluster);
509b4b 
-      cluster_free (cluster);
509b4b 
+      hash_release (cluster_hash, c);
509b4b 
+      cluster_free (c);
509b4b 
+      *cluster = NULL;
509b4b 
     }
509b4b 
 }
509b4b
509b4b 
@@ -241,15 +243,18 @@ transit_intern (struct transit *transit)
509b4b 
 }
509b4b
509b4b 
 void
509b4b 
-transit_unintern (struct transit *transit)
509b4b 
+transit_unintern (struct transit **transit)
509b4b 
 {
509b4b 
-  if (transit->refcnt)
509b4b 
-    transit->refcnt--;
509b4b 
+  struct transit *t = *transit;
509b4b 
+
509b4b 
+  if (t->refcnt)
509b4b 
+    t->refcnt--;
509b4b
509b4b 
-  if (transit->refcnt == 0)
509b4b 
+  if (t->refcnt == 0)
509b4b 
     {
509b4b 
-      hash_release (transit_hash, transit);
509b4b 
-      transit_free (transit);
509b4b 
+      hash_release (transit_hash, t);
509b4b 
+      transit_free (t);
509b4b 
+      *transit = NULL;
509b4b 
     }
509b4b 
 }
509b4b
509b4b 
@@ -658,11 +663,11 @@ bgp_attr_unintern_sub (struct attr *attr)
509b4b 
       UNSET_FLAG(attr->flag, BGP_ATTR_EXT_COMMUNITIES);
509b4b
509b4b 
       if (attr->extra->cluster)
509b4b 
-        cluster_unintern (attr->extra->cluster);
509b4b 
+        cluster_unintern (&attr->extra->cluster);
509b4b 
       UNSET_FLAG(attr->flag, BGP_ATTR_CLUSTER_LIST);
509b4b
509b4b 
       if (attr->extra->transit)
509b4b 
-        transit_unintern (attr->extra->transit);
509b4b 
+        transit_unintern (&attr->extra->transit);
509b4b 
     }
509b4b 
 }
509b4b
509b4b 
diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h
509b4b 
index df87c863..7d3cc64b 100644
509b4b 
--- a/bgpd/bgp_attr.h
509b4b 
+++ b/bgpd/bgp_attr.h
509b4b 
@@ -174,10 +174,10 @@ extern unsigned long int attr_unknown_count (void);
509b4b
509b4b 
 /* Cluster list prototypes. */
509b4b 
 extern int cluster_loop_check (struct cluster_list *, struct in_addr);
509b4b 
-extern void cluster_unintern (struct cluster_list *);
509b4b 
+extern void cluster_unintern (struct cluster_list **);
509b4b
509b4b 
 /* Transit attribute prototypes. */
509b4b 
-void transit_unintern (struct transit *);
509b4b 
+void transit_unintern (struct transit **);
509b4b
509b4b 
 /* Below exported for unit-test purposes only */
509b4b 
 struct bgp_attr_parser_args {
509b4b 
--
509b4b 
2.14.3
509b4b

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation