bgpd(8): fix use after free

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

bgpd(8): fix use after free

Florian Obser-2
33% found by llvm.
The -1 is propagated up from a failed calloc in
kif_kr_insert/kif_kr6_insert.

ok?

Index: kroute.c
===================================================================
RCS file: /cvs/src/usr.sbin/bgpd/kroute.c,v
retrieving revision 1.191
diff -u -p -r1.191 kroute.c
--- kroute.c 13 Nov 2012 22:07:28 -0000 1.191
+++ kroute.c 14 Mar 2013 13:07:30 -0000
@@ -506,8 +506,10 @@ kr4_change(struct ktable *kt, struct kro
  kr->r.priority = RTP_BGP;
  kr->r.labelid = labelid;
 
- if (kroute_insert(kt, kr) == -1)
+ if (kroute_insert(kt, kr) == -1) {
  free(kr);
+ return (-1);
+ }
  } else {
  kr->r.nexthop.s_addr = kl->nexthop.v4.s_addr;
  rtlabel_unref(kr->r.labelid);
@@ -563,8 +565,10 @@ kr6_change(struct ktable *kt, struct kro
  kr6->r.priority = RTP_BGP;
  kr6->r.labelid = labelid;
 
- if (kroute6_insert(kt, kr6) == -1)
+ if (kroute6_insert(kt, kr6) == -1) {
  free(kr6);
+ return (-1);
+ }
  } else {
  memcpy(&kr6->r.nexthop, &kl->nexthop.v6,
     sizeof(struct in6_addr));
@@ -633,8 +637,10 @@ krVPN4_change(struct ktable *kt, struct
  kr->r.labelid = labelid;
  kr->r.mplslabel = mplslabel;
 
- if (kroute_insert(kt, kr) == -1)
+ if (kroute_insert(kt, kr) == -1) {
  free(kr);
+ return (-1);
+ }
  } else {
  kr->r.mplslabel = mplslabel;
  kr->r.nexthop.s_addr = kl->nexthop.v4.s_addr;

--
I'm not entirely sure you are real.