bgpd: fix bmp heap use after free on non connected session

A heap use after free when enabling bmp mirror on a non connected BMP
target.

> Apr 22 14:06:49 vRR-DUT systemd[1]: Started bfdd.
> Apr 22 14:06:51 vRR-DUT bgpd[1522]: [VTCF0-ZHP6C] bmp: missing TX OPEN message for peer Static announcement
> Apr 22 14:06:51 vRR-DUT bgpd[1522]: [K3RM9-4A4HY] bmp: missing RX OPEN message for peer Static announcement
> Apr 22 14:06:52 vRR-DUT bgpd[1522]: =================================================================
> Apr 22 14:06:52 vRR-DUT bgpd[1522]: ==1522==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f0000321d0 at pc 0x7fe7f11c548e bp 0x7fff49f80d40 sp 0x7fff49f80d30
> Apr 22 14:06:52 vRR-DUT bgpd[1522]: READ of size 8 at 0x60f0000321d0 thread T0
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:     #0 0x7fe7f11c548d in typesafe_list_add /build/make-pkg/output/_packages/cp-routing/src/lib/typesafe.h:161
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:     #1 0x7fe7f11c9347 in bmp_mirrorq_add_tail /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_bmp.c:116
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:     #2 0x7fe7f11d030f in bmp_mirror_packet /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_bmp.c:867
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:     #3 0x55c756de3e20 in hook_call_bgp_packet_dump /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_packet.c:55
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:     #4 0x55c756dfd5ea in bgp_process_packet /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_packet.c:3699
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:     #5 0x7fe7f5375237 in event_call (/lib/x86_64-linux-gnu/libfrr.so.0+0x375237)
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:     #6 0x7fe7f5242ecf in frr_run (/lib/x86_64-linux-gnu/libfrr.so.0+0x242ecf)
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:     #7 0x55c756c71804 in main /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_main.c:545
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:     #8 0x7fe7f4c29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:     #9 0x7fe7f4c29e3f in __libc_start_main_impl ../csu/libc-start.c:392
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:     #10 0x55c756c6e384 in _start (/usr/bin/bgpd+0x272384)
> Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x60f0000321d0 is located 0 bytes inside of 162-byte region [0x60f0000321d0,0x60f000032272)
> Apr 22 14:06:52 vRR-DUT bgpd[1522]: freed by thread T0 here:
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:     #0 0x7fe7f58b4537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:     #1 0x7fe7f526f918 in qfree (/lib/x86_64-linux-gnu/libfrr.so.0+0x26f918)
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:     #2 0x7fe7f11d057b in bmp_mirror_packet /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_bmp.c:875
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:     #3 0x55c756de3e20 in hook_call_bgp_packet_dump /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_packet.c:55
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:     #4 0x55c756dfd5ea in bgp_process_packet /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_packet.c:3699
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:     #5 0x7fe7f5375237 in event_call (/lib/x86_64-linux-gnu/libfrr.so.0+0x375237)
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:     #6 0x7fe7f5242ecf in frr_run (/lib/x86_64-linux-gnu/libfrr.so.0+0x242ecf)
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:     #7 0x55c756c71804 in main /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_main.c:545
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:     #8 0x7fe7f4c29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
> Apr 22 14:06:52 vRR-DUT bgpd[1522]: previously allocated by thread T0 here:
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:     #0 0x7fe7f58b4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:     #1 0x7fe7f526f7c6 in qcalloc (/lib/x86_64-linux-gnu/libfrr.so.0+0x26f7c6)
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:     #2 0x7fe7f11cfd38 in bmp_mirror_packet /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_bmp.c:835
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:     #3 0x55c756de3e20 in hook_call_bgp_packet_dump /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_packet.c:55
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:     #4 0x55c756dfd5ea in bgp_process_packet /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_packet.c:3699
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:     #5 0x7fe7f5375237 in event_call (/lib/x86_64-linux-gnu/libfrr.so.0+0x375237)
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:     #6 0x7fe7f5242ecf in frr_run (/lib/x86_64-linux-gnu/libfrr.so.0+0x242ecf)
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:     #7 0x55c756c71804 in main /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_main.c:545
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:     #8 0x7fe7f4c29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
> Apr 22 14:06:52 vRR-DUT bgpd[1522]: SUMMARY: AddressSanitizer: heap-use-after-free /build/make-pkg/output/_packages/cp-routing/src/lib/typesafe.h:161 in typesafe_list_add
> Apr 22 14:06:52 vRR-DUT bgpd[1522]: Shadow bytes around the buggy address:
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:   0x0c1e7fffe3e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:   0x0c1e7fffe3f0: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa 00 00
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:   0x0c1e7fffe400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:   0x0c1e7fffe410: 00 00 00 00 fa fa fa fa fa fa fa fa 00 00 00 00
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:   0x0c1e7fffe420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> Apr 22 14:06:52 vRR-DUT bgpd[1522]: =>0x0c1e7fffe430: 00 fa fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:   0x0c1e7fffe440: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:   0x0c1e7fffe450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:   0x0c1e7fffe460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:   0x0c1e7fffe470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:   0x0c1e7fffe480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Apr 22 14:06:52 vRR-DUT bgpd[1522]: Shadow byte legend (one shadow byte represents 8 application bytes):
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:   Addressable:           00
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:   Partially addressable: 01 02 03 04 05 06 07
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:   Heap left redzone:       fa
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:   Freed heap region:       fd
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:   Stack left redzone:      f1
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:   Stack mid redzone:       f2
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:   Stack right redzone:     f3
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:   Stack after return:      f5
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:   Stack use after scope:   f8
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:   Global redzone:          f9
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:   Global init order:       f6
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:   Poisoned by user:        f7
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:   Container overflow:      fc
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:   Array cookie:            ac
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:   Intra object redzone:    bb
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:   ASan internal:           fe
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:   Left alloca redzone:     ca
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:   Right alloca redzone:    cb
> Apr 22 14:06:52 vRR-DUT bgpd[1522]:   Shadow gap:              cc
> Apr 22 14:06:52 vRR-DUT bgpd[1522]: ==1522==ABORTING
> Apr 22 14:06:52 vRR-DUT yams[449]: CONFIG: [{'name': 'ttyS0'}]
> Apr 22 14:06:52 vRR-DUT zebra[652]: [GE156-FS0MJ][EC 100663299] stream_read_try: read failed on fd 50: Connection reset by peer
> Apr 22 14:06:52 vRR-DUT systemd[1]: bgpd.service: Main process exited, code=exited, status=1/FAILURE
> Apr 22 14:06:52 vRR-DUT zebra[652]: [GE156-FS0MJ][EC 100663299] stream_read_try: read failed on fd 39: Connection reset by peer
> Apr 22 14:06:52 vRR-DUT systemd[1]: bgpd.service: Failed with result 'exit-code'.
> Apr 22 14:06:52 vRR-DUT zebra[652]: [N5M5Y-J5BPG][EC 4043309121] Client 'bgp' (session id 0) encountered an error and is shutting down.
> Apr 22 14:06:52 vRR-DUT systemd[1]: bgpd.service: Consumed 2.361s CPU time.
> Apr 22 14:06:52 vRR-DUT zebra[652]: [N5M5Y-J5BPG][EC 4043309121] Client 'bgp' (session id 1) encountered an error and is shutting down.
> Apr 22 14:06:52 vRR-DUT zebra[652]: [JPSA8-5KYEA] client 39 disconnected 0 bgp routes removed from the rib
> Apr 22 14:06:52 vRR-DUT zebra[652]: [S929C-NZR3N] client 39 disconnected 0 bgp nhgs removed from the rib
> Apr 22 14:06:52 vRR-DUT zebra[652]: [KQB7H-NPVW9] /build/make-pkg/output/_packages/cp-routing/src/zebra/zebra_ptm.c:1285 failed to find process pid registration
> Apr 22 14:06:52 vRR-DUT zebra[652]: [JPSA8-5KYEA] client 50 disconnected 0 bgp routes removed from the rib
> Apr 22 14:06:52 vRR-DUT zebra[652]: [S929C-NZR3N] client 50 disconnected 0 bgp nhgs removed from the rib
>

Do not enqueue item in the mirror queue if no reference count has been
found in the connection list.

Fixes: b1ebe54b29 ("bgpd: bmp, handle imported bgp instances in bmp_mirror")

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>

bgpd/bgp_bmp.c

@@ -865,6 +865,8 @@ static int bmp_mirror_packet(struct peer *peer, uint8_t type, bgp_size_t size,
 					bmp->mirrorpos = qitem;
 				pullwr_bump(bmp->pullwr);
 			}
+			if (qitem->refcount == 0)
+				continue;
 			bmpbgp->mirror_qsize += sizeof(*qitem) + size;
 			bmp_mirrorq_add_tail(&bmpbgp->mirrorq, qitem);