Ospf6d use after free from address sanitizer run

[donaldsharp]

Description

The test ospf6_ecmp_inter_area has found a use after free issue:

=================================================================
==2960==ERROR: AddressSanitizer: heap-use-after-free on address 0x612000078248 at pc 0x55c5afb4bfb5 bp 0x7ffc162219b0 sp 0x7ffc162219a8
READ of size 2 at 0x612000078248 thread T0
    #0 0x55c5afb4bfb4 in ospf6_asbr_lsentry_add ospf6d/ospf6_asbr.c:1010
    #1 0x55c5afbc28ac in ospf6_top_brouter_hook_add ospf6d/ospf6_top.c:320
    #2 0x55c5afb852e8 in ospf6_intra_brouter_calculation ospf6d/ospf6_intra.c:2199
    #3 0x55c5afbc19cc in ospf6_spf_calculation_thread ospf6d/ospf6_spf.c:639
    #4 0x7f23bfaec056 in event_call lib/event.c:1984
    #5 0x7f23bfa1a0eb in frr_run lib/libfrr.c:1246
    #6 0x55c5afb42c0a in main ospf6d/ospf6_main.c:283
    #7 0x7f23bf633249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #8 0x7f23bf633304 in __libc_start_main_impl ../csu/libc-start.c:360
    #9 0x55c5afb423e0 in _start (/usr/lib/frr/ospf6d+0xe93e0)

0x612000078248 is located 136 bytes inside of 296-byte region [0x6120000781c0,0x6120000782e8)
freed by thread T0 here:
    #0 0x7f23bfeb76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
    #1 0x7f23bfa39a98 in qfree lib/memory.c:131
    #2 0x55c5afbb3252 in ospf6_route_delete ospf6d/ospf6_route.c:467
    #3 0x55c5afbb383f in ospf6_route_unlock ospf6d/ospf6_route.c:509
    #4 0x55c5afbb6200 in ospf6_route_remove ospf6d/ospf6_route.c:945
    #5 0x55c5afbed0a5 in ospf6_abr_old_route_remove ospf6d/ospf6_abr.c:983
    #6 0x55c5afbee3d3 in ospf6_abr_examin_summary ospf6d/ospf6_abr.c:1200
    #7 0x55c5afbefa60 in ospf6_abr_examin_brouter ospf6d/ospf6_abr.c:1395
    #8 0x55c5afbc25a6 in ospf6_top_brouter_hook_remove ospf6d/ospf6_top.c:342
    #9 0x55c5afbb61f8 in ospf6_route_remove ospf6d/ospf6_route.c:943
    #10 0x55c5afbed0a5 in ospf6_abr_old_route_remove ospf6d/ospf6_abr.c:983
    #11 0x55c5afbee3d3 in ospf6_abr_examin_summary ospf6d/ospf6_abr.c:1200
    #12 0x55c5afbefa60 in ospf6_abr_examin_brouter ospf6d/ospf6_abr.c:1395
    #13 0x55c5afbc28a1 in ospf6_top_brouter_hook_add ospf6d/ospf6_top.c:318
    #14 0x55c5afb852e8 in ospf6_intra_brouter_calculation ospf6d/ospf6_intra.c:2199
    #15 0x55c5afbc19cc in ospf6_spf_calculation_thread ospf6d/ospf6_spf.c:639
    #16 0x7f23bfaec056 in event_call lib/event.c:1984
    #17 0x7f23bfa1a0eb in frr_run lib/libfrr.c:1246
    #18 0x55c5afb42c0a in main ospf6d/ospf6_main.c:283
    #19 0x7f23bf633249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

previously allocated by thread T0 here:
    #0 0x7f23bfeb83b7 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
    #1 0x7f23bfa391a5 in qcalloc lib/memory.c:106
    #2 0x55c5afbb30c4 in ospf6_route_create ospf6d/ospf6_route.c:448
    #3 0x55c5afbee542 in ospf6_abr_examin_summary ospf6d/ospf6_abr.c:1209
    #4 0x55c5afbefa60 in ospf6_abr_examin_brouter ospf6d/ospf6_abr.c:1395
    #5 0x55c5afbc28a1 in ospf6_top_brouter_hook_add ospf6d/ospf6_top.c:318
    #6 0x55c5afb852e8 in ospf6_intra_brouter_calculation ospf6d/ospf6_intra.c:2199
    #7 0x55c5afbc19cc in ospf6_spf_calculation_thread ospf6d/ospf6_spf.c:639
    #8 0x7f23bfaec056 in event_call lib/event.c:1984
    #9 0x7f23bfa1a0eb in frr_run lib/libfrr.c:1246
    #10 0x55c5afb42c0a in main ospf6d/ospf6_main.c:283
    #11 0x7f23bf633249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-use-after-free ospf6d/ospf6_asbr.c:1010 in ospf6_asbr_lsentry_add
Shadow bytes around the buggy address:
  0x0c2480006ff0: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c2480007000: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c2480007010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2480007020: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c2480007030: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c2480007040: fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd
  0x0c2480007050: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c2480007060: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c2480007070: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2480007080: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c2480007090: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2960==ABORTING

This needs to be addressed.
https://ci1.netdef.org/artifact/FRR-PULLREQ3/ASAN9D12AMD64/build-7341/TopotestDetails/ospf6_ecmp_inter_area.test_ospf6_ecmp_inter_area

Version

latest master

How to reproduce

Run with address-sanitizer. does not happen every run.

Expected behavior

no use after freee.

Actual behavior

Use after free

Additional context

Llama's are closely related to Alpaca's

Checklist

• I have searched the open issues for this bug.
• I have not included sensitive information in this report.