Skip to content

ospfd: Use after free cleanup of lsa (backport #19224) #19238

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 22, 2025
Merged

ospfd: Use after free cleanup of lsa (backport #19224) #19238

merged 1 commit into from
Jul 22, 2025

Conversation

mergify[bot]
Copy link

@mergify mergify bot commented Jul 22, 2025 

ERROR: AddressSanitizer: heap-use-after-free on address 0x60c0001ca478 at pc 0x562dc173c5b9 bp 0x7ffe07f7a260 sp 0x7ffe07f7a258
READ of size 4 at 0x60c0001ca478 thread T0
    0 0x562dc173c5b8 in ospf_lsa_lock ospfd/ospf_lsa.c:269
    1 0x562dc17242ec in ospf_flood_delayed_lsa_ack ospfd/ospf_flood.c:139
    2 0x562dc17242ec in ospf_flood ospfd/ospf_flood.c:553
    3 0x562dc1771bba in ospf_ls_upd ospfd/ospf_packet.c:1959
    4 0x562dc1771bba in ospf_read_helper ospfd/ospf_packet.c:2926
    5 0x562dc1771bba in ospf_read ospfd/ospf_packet.c:2957
    6 0x7f615e0dba5f in event_call lib/event.c:2005
    7 0x7f615e001781 in frr_run lib/libfrr.c:1252
    8 0x562dc170b171 in main ospfd/ospf_main.c:307
    9 0x7f615da2c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    10 0x7f615da2c304 in __libc_start_main_impl ../csu/libc-start.c:360
    11 0x562dc170a9d0 in _start (/usr/lib/frr/ospfd+0x15e9d0)

0x60c0001ca478 is located 56 bytes inside of 128-byte region [0x60c0001ca440,0x60c0001ca4c0)
freed by thread T0 here:
    0 0x7f615e4b76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
    1 0x7f615e024478 in qfree lib/memory.c:136
    2 0x562dc173c976 in ospf_lsa_free ospfd/ospf_lsa.c:263
    3 0x562dc173ca7a in ospf_lsa_unlock ospfd/ospf_lsa.c:286
    4 0x562dc174eb11 in ospf_lsdb_delete_entry ospfd/ospf_lsdb.c:150
    5 0x562dc174f22e in ospf_lsdb_add ospfd/ospf_lsdb.c:173
    6 0x562dc1747fa5 in ospf_lsa_install ospfd/ospf_lsa.c:3071
    7 0x562dc17484db in ospf_summary_lsa_refresh ospfd/ospf_lsa.c:1436
    8 0x562dc174c116 in ospf_lsa_refresh ospfd/ospf_lsa.c:4050
    9 0x562dc174d236 in ospf_refresh_area_self_lsas ospfd/ospf_lsa.c:3826
    10 0x562dc17240d2 in ospf_flood ospfd/ospf_flood.c:533
    11 0x562dc1771bba in ospf_ls_upd ospfd/ospf_packet.c:1959
    12 0x562dc1771bba in ospf_read_helper ospfd/ospf_packet.c:2926
    13 0x562dc1771bba in ospf_read ospfd/ospf_packet.c:2957
    14 0x7f615e0dba5f in event_call lib/event.c:2005
    15 0x7f615e001781 in frr_run lib/libfrr.c:1252
    16 0x562dc170b171 in main ospfd/ospf_main.c:307
    17 0x7f615da2c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

previously allocated by thread T0 here:
    0 0x7f615e4b83b7 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
    1 0x7f615e023b85 in qcalloc lib/memory.c:111
    2 0x562dc173c302 in ospf_lsa_new ospfd/ospf_lsa.c:193
    3 0x562dc173c5dc in ospf_lsa_new_and_data ospfd/ospf_lsa.c:212
    4 0x562dc1771192 in ospf_ls_upd_list_lsa ospfd/ospf_packet.c:1641
    5 0x562dc1771192 in ospf_ls_upd ospfd/ospf_packet.c:1726
    6 0x562dc1771192 in ospf_read_helper ospfd/ospf_packet.c:2926
    7 0x562dc1771192 in ospf_read ospfd/ospf_packet.c:2957
    8 0x7f615e0dba5f in event_call lib/event.c:2005
    9 0x7f615e001781 in frr_run lib/libfrr.c:1252
    10 0x562dc170b171 in main ospfd/ospf_main.c:307
    11 0x7f615da2c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

Since we need to ack the lsa that was just freed, let's schedule the ack before the free.

This is an automatic backport of pull request #19224 done by Mergify.

@donaldsharp @mergify
ospfd: Use after free cleanup of lsa
fd5d713 
    ERROR: AddressSanitizer: heap-use-after-free on address 0x60c0001ca478 at pc 0x562dc173c5b9 bp 0x7ffe07f7a260 sp 0x7ffe07f7a258
    READ of size 4 at 0x60c0001ca478 thread T0
        0 0x562dc173c5b8 in ospf_lsa_lock ospfd/ospf_lsa.c:269
        1 0x562dc17242ec in ospf_flood_delayed_lsa_ack ospfd/ospf_flood.c:139
        2 0x562dc17242ec in ospf_flood ospfd/ospf_flood.c:553
        3 0x562dc1771bba in ospf_ls_upd ospfd/ospf_packet.c:1959
        4 0x562dc1771bba in ospf_read_helper ospfd/ospf_packet.c:2926
        5 0x562dc1771bba in ospf_read ospfd/ospf_packet.c:2957
        6 0x7f615e0dba5f in event_call lib/event.c:2005
        7 0x7f615e001781 in frr_run lib/libfrr.c:1252
        8 0x562dc170b171 in main ospfd/ospf_main.c:307
        9 0x7f615da2c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        10 0x7f615da2c304 in __libc_start_main_impl ../csu/libc-start.c:360
        11 0x562dc170a9d0 in _start (/usr/lib/frr/ospfd+0x15e9d0)

    0x60c0001ca478 is located 56 bytes inside of 128-byte region [0x60c0001ca440,0x60c0001ca4c0)
    freed by thread T0 here:
        0 0x7f615e4b76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
        1 0x7f615e024478 in qfree lib/memory.c:136
        2 0x562dc173c976 in ospf_lsa_free ospfd/ospf_lsa.c:263
        3 0x562dc173ca7a in ospf_lsa_unlock ospfd/ospf_lsa.c:286
        4 0x562dc174eb11 in ospf_lsdb_delete_entry ospfd/ospf_lsdb.c:150
        5 0x562dc174f22e in ospf_lsdb_add ospfd/ospf_lsdb.c:173
        6 0x562dc1747fa5 in ospf_lsa_install ospfd/ospf_lsa.c:3071
        7 0x562dc17484db in ospf_summary_lsa_refresh ospfd/ospf_lsa.c:1436
        8 0x562dc174c116 in ospf_lsa_refresh ospfd/ospf_lsa.c:4050
        9 0x562dc174d236 in ospf_refresh_area_self_lsas ospfd/ospf_lsa.c:3826
        10 0x562dc17240d2 in ospf_flood ospfd/ospf_flood.c:533
        11 0x562dc1771bba in ospf_ls_upd ospfd/ospf_packet.c:1959
        12 0x562dc1771bba in ospf_read_helper ospfd/ospf_packet.c:2926
        13 0x562dc1771bba in ospf_read ospfd/ospf_packet.c:2957
        14 0x7f615e0dba5f in event_call lib/event.c:2005
        15 0x7f615e001781 in frr_run lib/libfrr.c:1252
        16 0x562dc170b171 in main ospfd/ospf_main.c:307
        17 0x7f615da2c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

    previously allocated by thread T0 here:
        0 0x7f615e4b83b7 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
        1 0x7f615e023b85 in qcalloc lib/memory.c:111
        2 0x562dc173c302 in ospf_lsa_new ospfd/ospf_lsa.c:193
        3 0x562dc173c5dc in ospf_lsa_new_and_data ospfd/ospf_lsa.c:212
        4 0x562dc1771192 in ospf_ls_upd_list_lsa ospfd/ospf_packet.c:1641
        5 0x562dc1771192 in ospf_ls_upd ospfd/ospf_packet.c:1726
        6 0x562dc1771192 in ospf_read_helper ospfd/ospf_packet.c:2926
        7 0x562dc1771192 in ospf_read ospfd/ospf_packet.c:2957
        8 0x7f615e0dba5f in event_call lib/event.c:2005
        9 0x7f615e001781 in frr_run lib/libfrr.c:1252
        10 0x562dc170b171 in main ospfd/ospf_main.c:307
        11 0x7f615da2c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

Since we need to ack the lsa that was just freed, let's schedule the ack
before the free.

Signed-off-by: Donald Sharp <sharpd@nvidia.com>
(cherry picked from commit 6f6111b)
@mergify mergify bot mentioned this pull request Jul 22, 2025
Merged
@frrbot frrbot bot added the ospf label Jul 22, 2025
@mjstapp mjstapp merged commit 5b7854a into stable/10.4 Jul 22, 2025
17 checks passed
@Jafaral Jafaral deleted the mergify/bp/stable/10.4/pr-19224 branch July 31, 2025 15:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
ospf size/XS stable/10.4
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mjstapp @donaldsharp