search

troglobit / pimd

PIM-SM/SSM multicast routing for UNIX and Linux
http://troglobit.com/projects/pimd/
BSD 3-Clause "New" or "Revised" License
194 stars 86 forks source link

Possible double-free on IGMP timers #193

Closed brun064 closed 3 years ago

brun064 commented 3 years ago

Ran into a segfault during debug. It seems that when an interface is brought down, the IGMP timers are still active, but the IGMP groups on the VIF are freed. This can lead to a double-free violation. The fix is to clear timers when freeing the IGMP data on the VIF. 

diff -Bbru pimd-3.0.2021.03.16/src/vif.c pimd-3.0.2021.03.16-fix-igmp-timers-double-free/src/vif.c
--- pimd-3.0.2021.03.16/src/vif.c   2021-03-19 17:39:36.271423311 +0000
+++ pimd-3.0.2021.03.16-fix-igmp-timers-double-free/src/vif.c   2021-03-31 16:26:19.367567345 +0000
@@ -408,7 +408,13 @@
        a->al_sources = b->al_next;
        free(b);
        }
-
+       /* Clear timers, preventing possible memory double free*/
+            if (a->al_timerid)
+                timer_clear(a->al_timerid);
+            if(a->al_versiontimer)
+                timer_clear(a->al_versiontimer);
+            if(a->al_query)
+                timer_clear(a->al_query);
        free(a);
    }
     }
troglobit commented 3 years ago

Good catch! Would you like to submit a pull request, to get credit in the logs, or is it OK if I submit this in my name?

brun064 commented 3 years ago

Go ahead and submit. I don't need credit. Just happy to help.