staticd: Fix SRv6 SID use-after-free on locator deletion (backport #20660 for 10.5)#20701
Merged
Jafaral merged 2 commits intoFRRouting:stable/10.5from Feb 5, 2026
Conversation
When a locator is removed, we iterate over the list of SIDs and uninstall them from the data plane. However, the validity flag of the SID remains set, and the locator pointer still points to the freed locator memory. This causes issues in other parts of the code where we check the SID validity flag. Since the flag is still set, we assume the SID is valid and attempt to access the locator pointer, resulting in use-after-free crashes. Fix this by: - Unsetting the STATIC_FLAG_SRV6_SID_VALID flag to mark the SID as invalid when its locator is deleted - Setting the locator pointer to NULL to indicate that the SID no longer has a locator associated with it This ensures that when the locator is removed, associated SIDs are properly marked as invalid and cannot accidentally reference freed memory. Signed-off-by: Carmine Scarpitta <cscarpit@cisco.com>
Add a test case that reproduces and validates the fix for the locator deletion crash issue. Without the fix, removing a locator leaves SIDs with the validity flag set and a dangling pointer to the freed locator. Attempting to remove those SIDs from configuration causes a use-after-free crash when the code checks the validity flag and accesses the freed locator pointer. The test reproduces this by: 1. Removing a locator 2. Removing specific SIDs (crash point without the fix) 3. Re-adding the locator 4. Re-adding the removed SIDs With the fix, the test passes and verifies that the locator removal/re-addition workflow handles SID lifecycle correctly, preventing future regressions. Signed-off-by: Carmine Scarpitta <cscarpit@cisco.com>
|
Target branch is not in the allowed branches list. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Manual backport of #20660 for FRR 10.5.
Replaces #20690.