ospf6d: fix heap use after free

[qlyoung]

Refcount issue
fixes #1135

During the loop we save a pointer to the next route in the table in case
brouter is deleted during the course of the loop iteration. However when
we call ospf6_route_remove this can trigger ospf6_route_remove on other
routes in the table, one of which could be pointed at by said pointer.
Since ospf6_route_next locks the route that it returns, it won't
actually be deleted, instead the refcount will go to 1. In the next loop
iteration, nbrouter becomes brouter, and calling ospf6_route_next on
this one will finally decrement the refcount to 0, resulting in a free,
which causes subsequent reads on brouter to be UAF. Since the route will
have OSPF6_ROUTE_WAS_REMOVED set, provided the memory was not
overwritten before we got there, we'll continue on to the next one so it
is unlikely this will cause a crash in production.

Solution implemented is to check if we've deleted the route and continue
if so.

Signed-off-by: Quentin Young qlyoung@cumulusnetworks.com

[NetDEF-CI]

Continuous Integration Result: FAILED

See below for issues.
CI System Testrun URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-1731/

This is a comment from an EXPERIMENTAL automated CI system.
For questions and feedback in regards to this CI system, please feel free to email
Martin Winter - mwinter (at) opensourcerouting.org.

Get source and apply patch from patchwork: Successful

Building Stage: Successful

Basic Tests: Failed

Topology tests on Ubuntu 16.04 amd64: Successful
IPv6 protocols on Ubuntu 14.04: Successful
Ubuntu 16.04 deb pkg check: Successful
IPv4 ldp protocol on Ubuntu 16.04: Successful
Ubuntu 14.04 deb pkg check: Successful
CentOS 7 rpm pkg check: Successful
Fedora 24 rpm pkg check: Successful
Ubuntu 12.04 deb pkg check: Successful
Static analyzer (clang): Successful
Debian 8 deb pkg check: Successful

IPv4 protocols on Ubuntu 14.04: Failed

RFC Compliance Test ANVL-BGP4-15.28 failing:
Test Summary
If an optional attribute is recognized, then the value of this
attribute MUST be checked. If an error is detected, the attribute MUST
be discarded, and the Error Subcode MUST be set to Optional Attribute
Error. The Data field MUST contain the attribute
(type, length and value).
(This test checks for AGGREGATOR attribute)
Test Reference
NEGATIVE
RFC4271, Sect. 6.3, p 34,
UPDATE message error handling
Test Classification
MUST
Test ANVL-BGP4-15.28: !FAILED!
External peer did not receive expected
BGP4 Notification Message from DUT

---

CLANG Static Analyzer Summary

• Github Pull Request 1217, comparing to Git base SHA f2a3a14

No Changes in Static Analysis warnings compared to base

138 Static Analyzer issues remaining.

See details at
https://ci1.netdef.org/browse/FRR-FRRPULLREQ-1731/artifact/shared/static_analysis/index.html

[NetDEF-CI]

Continuous Integration Result: SUCCESSFUL

Congratulations, this patch passed basic tests

Tested-by: NetDEF / OpenSourceRouting.org CI System

CI System Testrun URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-1731/

This is a comment from an EXPERIMENTAL automated CI system.
For questions and feedback in regards to this CI system, please feel free to email
Martin Winter - mwinter (at) opensourcerouting.org.

---

CLANG Static Analyzer Summary

• Github Pull Request 1217, comparing to Git base SHA f2a3a14

No Changes in Static Analysis warnings compared to base

138 Static Analyzer issues remaining.

See details at
https://ci1.netdef.org/browse/FRR-FRRPULLREQ-1731/artifact/shared/static_analysis/index.html

[qlyoung]

false positives

[NetDEF-CI]

Continuous Integration Result: SUCCESSFUL

Congratulations, this patch passed basic tests

Tested-by: NetDEF / OpenSourceRouting.org CI System

CI System Testrun URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-1732/

This is a comment from an EXPERIMENTAL automated CI system.
For questions and feedback in regards to this CI system, please feel free to email
Martin Winter - mwinter (at) opensourcerouting.org.

---

CLANG Static Analyzer Summary

• Github Pull Request 1217, comparing to Git base SHA f2a3a14

No Changes in Static Analysis warnings compared to base

138 Static Analyzer issues remaining.

See details at
https://ci1.netdef.org/browse/FRR-FRRPULLREQ-1732/artifact/shared/static_analysis/index.html

[NetDEF-CI]

Continuous Integration Result: SUCCESSFUL

Congratulations, this patch passed basic tests

Tested-by: NetDEF / OpenSourceRouting.org CI System

CI System Testrun URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-1734/

This is a comment from an EXPERIMENTAL automated CI system.
For questions and feedback in regards to this CI system, please feel free to email
Martin Winter - mwinter (at) opensourcerouting.org.

---

CLANG Static Analyzer Summary

• Github Pull Request 1217, comparing to Git base SHA f2a3a14

No Changes in Static Analysis warnings compared to base

138 Static Analyzer issues remaining.

See details at
https://ci1.netdef.org/browse/FRR-FRRPULLREQ-1734/artifact/shared/static_analysis/index.html

[NetDEF-CI]

Continuous Integration Result: SUCCESSFUL

Congratulations, this patch passed basic tests

Tested-by: NetDEF / OpenSourceRouting.org CI System

CI System Testrun URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-1733/

This is a comment from an EXPERIMENTAL automated CI system.
For questions and feedback in regards to this CI system, please feel free to email
Martin Winter - mwinter (at) opensourcerouting.org.

---

CLANG Static Analyzer Summary

• Github Pull Request 1217, comparing to Git base SHA f2a3a14

No Changes in Static Analysis warnings compared to base

138 Static Analyzer issues remaining.

See details at
https://ci1.netdef.org/browse/FRR-FRRPULLREQ-1733/artifact/shared/static_analysis/index.html

[donaldsharp]

@qlyoung can you make sure you run ospf-smoke with this change?

[NetDEF-CI]

Continuous Integration Result: SUCCESSFUL

Congratulations, this patch passed basic tests

Tested-by: NetDEF / OpenSourceRouting.org CI System

CI System Testrun URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-1735/

This is a comment from an EXPERIMENTAL automated CI system.
For questions and feedback in regards to this CI system, please feel free to email
Martin Winter - mwinter (at) opensourcerouting.org.

---

CLANG Static Analyzer Summary

• Github Pull Request 1217, comparing to Git base SHA f2a3a14

No Changes in Static Analysis warnings compared to base

138 Static Analyzer issues remaining.

See details at
https://ci1.netdef.org/browse/FRR-FRRPULLREQ-1735/artifact/shared/static_analysis/index.html

[mwinter-osr]

Rerunning tests - Address Sanitizer Tests were disabled for some reason

[NetDEF-CI]

Continuous Integration Result: SUCCESSFUL

Congratulations, this patch passed basic tests

Tested-by: NetDEF / OpenSourceRouting.org CI System

CI System Testrun URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-1736/

This is a comment from an EXPERIMENTAL automated CI system.
For questions and feedback in regards to this CI system, please feel free to email
Martin Winter - mwinter (at) opensourcerouting.org.

---

CLANG Static Analyzer Summary

• Github Pull Request 1217, comparing to Git base SHA f2a3a14

No Changes in Static Analysis warnings compared to base

138 Static Analyzer issues remaining.

See details at
https://ci1.netdef.org/browse/FRR-FRRPULLREQ-1736/artifact/shared/static_analysis/index.html

[mwinter-osr]

I still see many heap-after-free Address Sanitizer errors:
https://ci1.netdef.org/browse/FRR-FRRPULLREQ-1736/artifact/ASANTOPO/AddressSanitizerError/AddressSanitzer.txt

[qlyoung]

@mwinter-osr check the line numbers, you are testing master and not stable/3.0.

[mwinter-osr]

Yes, something went wrong... troubleshooting the CI - ignore the next CI reruns

[NetDEF-CI]

Continuous Integration Result: SUCCESSFUL

Congratulations, this patch passed basic tests

Tested-by: NetDEF / OpenSourceRouting.org CI System

CI System Testrun URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-1738/

This is a comment from an EXPERIMENTAL automated CI system.
For questions and feedback in regards to this CI system, please feel free to email
Martin Winter - mwinter (at) opensourcerouting.org.

---

CLANG Static Analyzer Summary

• Github Pull Request 1217, comparing to Git base SHA f2a3a14

No Changes in Static Analysis warnings compared to base

138 Static Analyzer issues remaining.

See details at
https://ci1.netdef.org/browse/FRR-FRRPULLREQ-1738/artifact/shared/static_analysis/index.html

[mwinter-osr]

Ok, address sanitizer fixed. There was a bad bug where leftover errors from previous results got reported. Issue is fixed.

Your PR correctly fixes the issue.

[NetDEF-CI]

Continuous Integration Result: SUCCESSFUL

Congratulations, this patch passed basic tests

Tested-by: NetDEF / OpenSourceRouting.org CI System

CI System Testrun URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-1739/

This is a comment from an EXPERIMENTAL automated CI system.
For questions and feedback in regards to this CI system, please feel free to email
Martin Winter - mwinter (at) opensourcerouting.org.

---

CLANG Static Analyzer Summary

• Github Pull Request 1217, comparing to Git base SHA f2a3a14

No Changes in Static Analysis warnings compared to base

138 Static Analyzer issues remaining.

See details at
https://ci1.netdef.org/browse/FRR-FRRPULLREQ-1739/artifact/shared/static_analysis/index.html

[qlyoung]

just some style nits

[rwestphal]

This would be simpler:

nbrouter = ospf6_route_next(brouter);
if (brouter->lock == 1)
    continue;

And I'm not sure but maybe we could check the OSPF6_ROUTE_WAS_REMOVED flag instead of the refcount lock.

[qlyoung]

Negative, your code is a use after free. brouter is deleted when the refcount drops to zero, which happens inside ospf6_route_next as a call to ospf6_route_unlock (ref). I should have been more specific in the PR description.

[rwestphal]

Indeed. Your commit message couldn't be better, it's me who did a poor review here.

Thanks for fixing this long-standing issue, will merge now.