On Mon, May 05, 2014 at 10:28:03AM +0300, Sergey Popovich wrote:
It is possible to cause BIRD to use after free memory block, allocated to the protocol in the following conditions:
Hi Thanks for the bugreport and the patch.
diff --git a/nest/proto.c b/nest/proto.c index edb490f..c21be85 100644 --- a/nest/proto.c +++ b/nest/proto.c @@ -599,7 +599,10 @@ proto_rethink_goal(struct proto *p) rem_node(&p->glob_node); mb_free(p); if (!nc) - return; + { + p->cf->global->proto = NULL;
I guess here should be p->cf->proto (there is no proto in p->cf->global). It is probably better to move it unconditionally before config_del_obstacle(), like in attached patch. -- Elen sila lumenn' omentielvo Ondrej 'SanTiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."