Potential freed memory access during evpn segment deletion
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
Juniper Openstack | Status tracked in Trunk | |||||
R4.1 |
Fix Committed
|
High
|
Ananth Suryanarayana | |||
Trunk |
Fix Committed
|
High
|
Ananth Suryanarayana |
Bug Description
erase() API takes key argument by reference. Hence, by passing segment->esi() as a reference to erase(), this key can be still accessed within the boost container code while the segment that contains the key gets destroyed
diff --git a/src/bgp/
index b58f65b..7904aea 100644
--- a/src/bgp/
+++ b/src/bgp/
@@ -1043,7 +1043,8 @@ bool EvpnManager:
BOOST_
if (segment-
- segment_
+ EthernetSegmentId esi = segment->esi();
+ segment_
}
}
segment_
Review in progress for https:/ /review. opencontrail. org/38027
Submitter: Ananth Suryanarayana (<email address hidden>)