It is possible to cause BIRD to use after free memory block, allocated to the protocol in the following conditions: bird.conf: --------- router id 1.1.1.1; protocol static static1 { route 0.0.0.0/0 blackhole; } protocol static static2 { route 0.0.0.0/0 blackhole; } Start bird. On the console do: BIRD 1.3.11 ready. name proto table state since info static1 Static master up 18:17:30 static2 Static master up 18:17:30 Edit bird.conf and comment out protocol static2 (or static1, this does not important). Save configuration file candidate. Then on console do: BIRD 1.3.11 ready. name proto table state since info static1 Static master up 18:19:02 See no protocol static2, it is freed in proto_rethink_goal(), but still in old (BIRD's startup config) config structure, thus not initialized as new on undo operation at protos_commit(). And after this we have use after free protocol structure, which is already removed after first configure, where protocol commented out in config. In certrain environments (especially with glibc compiled to detect double free corruptions) this leads to BIRD crash. Fix by initializing pointer to the protocol in configuration file when protocol is candidate for removal (all cases where cf_new is set to NULL). Signed-off-by: Sergey Popovich <popovich_sergei@mail.ru> --- nest/proto.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/nest/proto.c b/nest/proto.c index edb490f..c21be85 100644 --- a/nest/proto.c +++ b/nest/proto.c @@ -599,7 +599,10 @@ proto_rethink_goal(struct proto *p) rem_node(&p->glob_node); mb_free(p); if (!nc) - return; + { + p->cf->global->proto = NULL; + return; + } p = proto_init(nc); } -- 1.7.10.4