[PATCH] Fix protocol memory use free under certrain configure/undo cases

Sergey Popovich popovich_sergei at mail.ru
Mon May 5 11:03:37 CEST 2014


В письме от 5 мая 2014 11:04:57 пользователь Ondrej Zajicek написал:
> On Mon, May 05, 2014 at 10:28:03AM +0300, Sergey Popovich wrote:
> > It is possible to cause BIRD to use after free memory block, allocated
> 
> > to the protocol in the following conditions:
> Hi
> 
> Thanks for the bugreport and the patch.
> 
> > diff --git a/nest/proto.c b/nest/proto.c
> > index edb490f..c21be85 100644
> > --- a/nest/proto.c
> > +++ b/nest/proto.c
> > @@ -599,7 +599,10 @@ proto_rethink_goal(struct proto *p)
> > 
> >        rem_node(&p->glob_node);
> >        mb_free(p);
> >        if (!nc)
> > 
> > -	return;
> > +        {
> > +          p->cf->global->proto = NULL;
> 
> I guess here should be p->cf->proto (there is no proto in p->cf->global).

Oh, yes. Sorry it really should be p->ct->proto, I send wrong version with
uncommited change.

> 
> It is probably better to move it unconditionally before
> config_del_obstacle(), like in attached patch.

Probably we may, but I do no test for this. Seems cf_new is still contains
configuration candidate.

-- 
SP5474-RIPE
Sergey Popovich




More information about the Bird-users mailing list