Juniper Openstack

Potential freed memory access during evpn segment deletion

Bug #1735558 reported by Ananth Suryanarayana
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R4.1
Fix Committed
High
Ananth Suryanarayana
Juniper Openstack r4.1.1.0
Trunk
Fix Committed
High
Ananth Suryanarayana
Juniper Openstack r5.0.0

Bug Description

erase() API takes key argument by reference. Hence, by passing segment->esi() as a reference to erase(), this key can be still accessed within the boost container code while the segment that contains the key gets destroyed

diff --git a/src/bgp/bgp_evpn.cc b/src/bgp/bgp_evpn.cc
index b58f65b..7904aea 100644
--- a/src/bgp/bgp_evpn.cc
+++ b/src/bgp/bgp_evpn.cc
@@ -1043,7 +1043,8 @@ bool EvpnManager::ProcessSegmentDeleteSet() {
     BOOST_FOREACH(EvpnSegment *segment, segment_delete_set_) {
         if (segment->MayDelete()) {
             segment_update_set_.erase(segment);
- segment_map_.erase(segment->esi());
+ EthernetSegmentId esi = segment->esi();
+ segment_map_.erase(esi);
         }
     }
     segment_delete_set_.clear();

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/38027
Submitter: Ananth Suryanarayana (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R4.1

Review in progress for https://review.opencontrail.org/38033
Submitter: Ananth Suryanarayana (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/38033
Committed: http://github.com/Juniper/contrail-controller/commit/516bef04993a9fe640a24f39f57e0bb4eaae3642
Submitter: Zuul (<email address hidden>)
Branch: R4.1

commit 516bef04993a9fe640a24f39f57e0bb4eaae3642
Author: Ananth Suryanarayana <email address hidden>
Date: Thu Nov 30 13:51:38 2017 -0800

Do not access esi segment_id from segment being erased

boost::ptr_map::erase() API takes key argument by reference. Hence, by passing
segment->esi() as a reference to erase(), this key can be still accessed within
the boost container code while the segment that contains the key gets destroyed

Also fix a minor minor leak in bgp_evpn_aliasing_test.cc using scoped_ptr.

Change-Id: I2045699e103546a5fe3aef679b45c2a373326475
Closes-Bug: 1735558

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/38027
Committed: http://github.com/Juniper/contrail-controller/commit/ce8cf76730e63324f36f1691a0ff0d882a7a38b5
Submitter: Zuul (<email address hidden>)
Branch: master

commit ce8cf76730e63324f36f1691a0ff0d882a7a38b5
Author: Ananth Suryanarayana <email address hidden>
Date: Thu Nov 30 13:51:38 2017 -0800

Do not access esi segment_id from segment being erased

boost::ptr_map::erase() API takes key argument by reference. Hence, by passing
segment->esi() as a reference to erase(), this key can be still accessed within
the boost container code while the segment that contains the key gets destroyed

Also fix a minor minor leak in bgp_evpn_aliasing_test.cc using scoped_ptr.

Change-Id: I2045699e103546a5fe3aef679b45c2a373326475
Closes-Bug: 1735558

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.