summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorQuentin Young <qlyoung@cumulusnetworks.com>2017-05-22 04:12:05 +0200
committerQuentin Young <qlyoung@cumulusnetworks.com>2017-05-22 04:14:29 +0200
commit8f599166fb5896224d5b0ec835be4e6b8c496d3e (patch)
treeaa1d9086f87d440d6a5942dd347e6d48385fd149
parentpimd: Fix indentation issue that is causing clang unhappiness (diff)
downloadfrr-8f599166fb5896224d5b0ec835be4e6b8c496d3e.tar.xz
frr-8f599166fb5896224d5b0ec835be4e6b8c496d3e.zip
ospf6d: fix use-after-free
ospf6_route_remove may free the ospf6_route passed to it if the refcount reaches zero, in which case zeroing the ->flag field constitutes a uaf Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>
-rw-r--r--ospf6d/ospf6_intra.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/ospf6d/ospf6_intra.c b/ospf6d/ospf6_intra.c
index 646196385..5dd10b4c7 100644
--- a/ospf6d/ospf6_intra.c
+++ b/ospf6d/ospf6_intra.c
@@ -1455,13 +1455,14 @@ ospf6_intra_route_calculation (struct ospf6_area *oa)
{
if (hook_add)
(*hook_add) (route);
+ route->flag = 0;
}
else
{
/* Redo the summaries as things might have changed */
ospf6_abr_originate_summary (route);
+ route->flag = 0;
}
- route->flag = 0;
}
if (IS_OSPF6_DEBUG_EXAMIN (INTRA_PREFIX))