In case of misconfiguration (interface was specified twice) race condition between privsep and main thread occurs and it leads to double-free and crashing of radvd.
reproducer is as simple as
interface eth0
{
};
interface eth0
{
};
Valgrind report:
==22820== Invalid free() / delete / delete[] / realloc()
==22820== at 0x4C2ACBD: free (vg_replace_malloc.c:530)
==22820== by 0x10E501: free_iface_list (interface.c:427)
==22820== by 0x10E501: free_ifaces (interface.c:436)
==22820== by 0x10B775: main (radvd.c:442)
==22820== Address 0x520cca0 is 0 bytes inside a block of size 352 free'd
==22820== at 0x4C2ACBD: free (vg_replace_malloc.c:530)
==22820== by 0x10E501: free_iface_list (interface.c:427)
==22820== by 0x10E501: free_ifaces (interface.c:436)
==22820== by 0x111714: cleanup (gram.y:907)
==22820== by 0x113465: yyparse (gram.y:197)
==22820== by 0x113CA5: readin_config (gram.y:956)
==22820== by 0x10B3AB: main (radvd.c:327)
==22820== Block was alloc'd at
==22820== at 0x4C29BC3: malloc (vg_replace_malloc.c:299)
==22820== by 0x1136DF: yyparse (gram.y:202)
==22820== by 0x113CA5: readin_config (gram.y:956)
==22820== by 0x10B3AB: main (radvd.c:327)
In case of misconfiguration (interface was specified twice) race condition between privsep and main thread occurs and it leads to double-free and crashing of radvd. reproducer is as simple as
Valgrind report: