pim: Heap use after free in function igmp_source_delete

[mobash-rasool]

Error: heap-use-after-free

AddressSanitizer error in topotest test_multicast_pim_uplink_topo2.py, test test_mroutes_updated_with_correct_oil_iif_after_shut_noshut_upstream_interface_p0, router r5

ERROR: AddressSanitizer: heap-use-after-free on address 0x6160000801f0 at pc 0x5598c27c213f bp 0x7ffc04462060 sp 0x7ffc04462050
READ of size 4 at 0x6160000801f0 thread T0
    #0 0x5598c27c213e in igmp_source_delete pimd/pim_igmpv3.c:340
    #1 0x5598c27c277f in igmp_source_delete_expired pimd/pim_igmpv3.c:405
    #2 0x5598c27b34c7 in igmp_group_timer pimd/pim_igmp.c:1324
    #3 0x7fb78e68e1a7 in event_call lib/event.c:1995
    #4 0x7fb78e5d28a5 in frr_run lib/libfrr.c:1213
    #5 0x5598c27c781d in main pimd/pim_main.c:162
    #6 0x7fb78dbeac86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    #7 0x5598c26f0ab9 in _start (/usr/lib/frr/pimd+0x103ab9)

0x6160000801f0 is located 112 bytes inside of 600-byte region [0x616000080180,0x6160000803d8)
freed by thread T0 here:
    #0 0x7fb78ebf17a8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8)
    #1 0x7fb78e5eff7c in qfree lib/memory.c:130
    #2 0x5598c2750412 in pim_channel_oil_free pimd/pim_oil.c:84
    #3 0x5598c2750c26 in pim_channel_oil_del pimd/pim_oil.c:199
    #4 0x5598c27681d3 in tib_sg_gm_prune pimd/pim_tib.c:167
    #5 0x5598c27b0e7f in igmp_source_forward_stop pimd/pim_igmp.c:225
    #6 0x5598c27c25ac in igmp_source_timer pimd/pim_igmpv3.c:155
    #7 0x7fb78e68e1a7 in event_call lib/event.c:1995
    #8 0x7fb78e5d28a5 in frr_run lib/libfrr.c:1213
    #9 0x5598c27c781d in main pimd/pim_main.c:162
    #10 0x7fb78dbeac86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)

previously allocated by thread T0 here:
    #0 0x7fb78ebf1d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28)
    #1 0x7fb78e5ef5e2 in qcalloc lib/memory.c:105
    #2 0x5598c27518a4 in pim_channel_oil_add pimd/pim_oil.c:133
    #3 0x5598c2767c54 in tib_sg_oil_setup pimd/pim_tib.c:30
    #4 0x5598c2767c54 in tib_sg_gm_join pimd/pim_tib.c:94
    #5 0x5598c27b09df in igmp_source_forward_start pimd/pim_igmp.c:191
    #6 0x5598c27b0af3 in igmp_anysource_forward_start pimd/pim_igmp.c:49
    #7 0x5598c27c02f9 in group_exclude_fwd_anysrc_ifempty pimd/pim_igmpv3.c:310
    #8 0x5598c27c3605 in isex_incl pimd/pim_igmpv3.c:639
    #9 0x5598c27c3605 in igmpv3_report_isex pimd/pim_igmpv3.c:670
    #10 0x5598c27becd5 in igmp_v2_recv_report pimd/pim_igmpv2.c:167
    #11 0x5598c27b675e in pim_igmp_packet pimd/pim_igmp.c:787
    #12 0x5598c2739a73 in process_igmp_packet pimd/pim_mroute.c:683
    #13 0x5598c2739a73 in pim_mroute_msg pimd/pim_mroute.c:707
    #14 0x5598c273a41f in mroute_read pimd/pim_mroute.c:797
    #15 0x7fb78e68e1a7 in event_call lib/event.c:1995
    #16 0x7fb78e5d28a5 in frr_run lib/libfrr.c:1213
    #17 0x5598c27c781d in main pimd/pim_main.c:162

[github-actions]

This issue is stale because it has been open 180 days with no activity. Comment or remove the autoclose label in order to avoid having this issue closed.

[frrbot]

This issue will be automatically closed in the specified period unless there is further activity.