Closed
Description
Found in FRR master as of 12/16/2019, Git sha 8887295
Issue found while running the Ixia ANVL Compliance Tests for OSPFv2
==26177==ERROR: AddressSanitizer: heap-use-after-free on address 0x6120000238d8 at pc 0x7f88f7c4fa93 bp 0x7fff9a641830 sp 0x7fff9a641820
READ of size 8 at 0x6120000238d8 thread T0
#0 0x7f88f7c4fa92 in if_delete lib/if.c:290
#1 0x42192e in ospf_vl_if_delete ospfd/ospf_interface.c:912
#2 0x42192e in ospf_vl_delete ospfd/ospf_interface.c:990
#3 0x4a6208 in no_ospf_area_vlink ospfd/ospf_vty.c:1227
#4 0x7f88f7c1553d in cmd_execute_command_real lib/command.c:1073
#5 0x7f88f7c19b1e in cmd_execute_command lib/command.c:1132
#6 0x7f88f7c19e8e in cmd_execute lib/command.c:1288
#7 0x7f88f7cd7523 in vty_command lib/vty.c:516
#8 0x7f88f7cd79ff in vty_execute lib/vty.c:1285
#9 0x7f88f7cde4f9 in vtysh_read lib/vty.c:2119
#10 0x7f88f7ccb845 in thread_call lib/thread.c:1549
#11 0x7f88f7c5d6a7 in frr_run lib/libfrr.c:1093
#12 0x412976 in main ospfd/ospf_main.c:221
#13 0x7f88f73b082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#14 0x413c78 in _start (/usr/local/master/sbin/ospfd+0x413c78)
0x6120000238d8 is located 24 bytes inside of 304-byte region [0x6120000238c0,0x6120000239f0)
freed by thread T0 here:
#0 0x7f88f80722ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
#1 0x4204f4 in ospf_if_free ospfd/ospf_interface.c:364
#2 0x42190c in ospf_vl_if_delete ospfd/ospf_interface.c:911
#3 0x42190c in ospf_vl_delete ospfd/ospf_interface.c:990
#4 0x4a6208 in no_ospf_area_vlink ospfd/ospf_vty.c:1227
#5 0x7f88f7c1553d in cmd_execute_command_real lib/command.c:1073
#6 0x7f88f7c19b1e in cmd_execute_command lib/command.c:1132
#7 0x7f88f7c19e8e in cmd_execute lib/command.c:1288
#8 0x7f88f7cd7523 in vty_command lib/vty.c:516
#9 0x7f88f7cd79ff in vty_execute lib/vty.c:1285
#10 0x7f88f7cde4f9 in vtysh_read lib/vty.c:2119
#11 0x7f88f7ccb845 in thread_call lib/thread.c:1549
#12 0x7f88f7c5d6a7 in frr_run lib/libfrr.c:1093
#13 0x412976 in main ospfd/ospf_main.c:221
#14 0x7f88f73b082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
previously allocated by thread T0 here:
#0 0x7f88f807279a in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9879a)
#1 0x7f88f7c66645 in qcalloc lib/memory.c:110
#2 0x41c7ee in ospf_if_new ospfd/ospf_interface.c:234
#3 0x420e76 in ospf_vl_new ospfd/ospf_interface.c:871
#4 0x491805 in ospf_find_vl_data ospfd/ospf_vty.c:941
#5 0x491805 in ospf_vl_set ospfd/ospf_vty.c:1041
#6 0x4a6c7f in ospf_area_vlink ospfd/ospf_vty.c:1173
#7 0x7f88f7c1553d in cmd_execute_command_real lib/command.c:1073
#8 0x7f88f7c19b1e in cmd_execute_command lib/command.c:1132
#9 0x7f88f7c19e8e in cmd_execute lib/command.c:1288
#10 0x7f88f7cd7523 in vty_command lib/vty.c:516
#11 0x7f88f7cd79ff in vty_execute lib/vty.c:1285
#12 0x7f88f7cde4f9 in vtysh_read lib/vty.c:2119
#13 0x7f88f7ccb845 in thread_call lib/thread.c:1549
#14 0x7f88f7c5d6a7 in frr_run lib/libfrr.c:1093
#15 0x412976 in main ospfd/ospf_main.c:221
#16 0x7f88f73b082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-use-after-free lib/if.c:290 if_delete
Shadow bytes around the buggy address:
0x0c247fffc6c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fffc6d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fffc6e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fffc6f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fffc700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c247fffc710: fa fa fa fa fa fa fa fa fd fd fd[fd]fd fd fd fd
0x0c247fffc720: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c247fffc730: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
0x0c247fffc740: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c247fffc750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c247fffc760: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==26177==ABORTING