It is possible to cause BIRD to use after free memory block, allocated
to the protocol in the following conditions:
bird.conf:
---------
router id 1.1.1.1;
protocol static static1 {
route 0.0.0.0/0 blackhole;
}
protocol static static2 {
route 0.0.0.0/0 blackhole;
}
Start bird. On the console do:
BIRD 1.3.11 ready.
name proto table state since info
static1 Static master up 18:17:30
static2 Static master up 18:17:30
Edit bird.conf and comment out protocol static2 (or static1, this
does not important). Save configuration file candidate. Then on
console do:
BIRD 1.3.11 ready.
name proto table state since info
static1 Static master up 18:19:02
See no protocol static2, it is freed in proto_rethink_goal(), but
still in old (BIRD's startup config) config structure, thus not
initialized as new on undo operation at protos_commit().
And after this we have use after free protocol structure, which is
already removed after first configure, where protocol commented
out in config.
In certrain environments (especially with glibc compiled to detect
double free corruptions) this leads to BIRD crash.
Fix by initializing pointer to the protocol in configuration file
when protocol is candidate for removal (all cases where cf_new is
set to NULL).
Signed-off-by: Sergey Popovich <popovich_ser...@mail.ru>
---
nest/proto.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/nest/proto.c b/nest/proto.c
index edb490f..c21be85 100644
--- a/nest/proto.c
+++ b/nest/proto.c
@@ -599,7 +599,10 @@ proto_rethink_goal(struct proto *p)
rem_node(&p->glob_node);
mb_free(p);
if (!nc)
- return;
+ {
+ p->cf->global->proto = NULL;
+ return;
+ }
p = proto_init(nc);
}
--
1.7.10.4
