diff options
| author | Quentin Young <qlyoung@cumulusnetworks.com> | 2017-06-09 16:53:11 +0200 |
|---|---|---|
| committer | Quentin Young <qlyoung@cumulusnetworks.com> | 2017-06-09 16:53:11 +0200 |
| commit | 5fe70a71765bd8fe72208b7667a0c47fbd494329 (patch) | |
| tree | a47a94ce6dfd4d35c8f5500a96d0349d30107808 /isisd | |
| parent | isisd: fix heap uaf (diff) | |
| download | frr-5fe70a71765bd8fe72208b7667a0c47fbd494329.tar.xz frr-5fe70a71765bd8fe72208b7667a0c47fbd494329.zip | |
isisd: fix heap uaf, round 2
Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>
Diffstat (limited to 'isisd')
| -rw-r--r-- | isisd/isis_adjacency.c | 23 |
1 files changed, 17 insertions, 6 deletions
diff --git a/isisd/isis_adjacency.c b/isisd/isis_adjacency.c index de1ccaad1..382193092 100644 --- a/isisd/isis_adjacency.c +++ b/isisd/isis_adjacency.c @@ -178,6 +178,7 @@ isis_adj_state_change (struct isis_adjacency *adj, enum isis_adj_state new_state int old_state; int level; struct isis_circuit *circuit; + bool del; old_state = adj->adj_state; adj->adj_state = new_state; @@ -212,7 +213,8 @@ isis_adj_state_change (struct isis_adjacency *adj, enum isis_adj_state new_state if (circuit->circ_type == CIRCUIT_T_BROADCAST) { - for (level = IS_LEVEL_1; adj && level <= IS_LEVEL_2; level++) + del = false; + for (level = IS_LEVEL_1; level <= IS_LEVEL_2; level++) { if ((adj->level & level) == 0) continue; @@ -235,8 +237,7 @@ isis_adj_state_change (struct isis_adjacency *adj, enum isis_adj_state new_state list_delete_all_node (circuit->lsp_queue); } isis_event_adjacency_state_change (adj, new_state); - isis_delete_adj (adj); - adj = NULL; + del = true; } if (circuit->u.bc.lan_neighs[level - 1]) @@ -250,10 +251,16 @@ isis_adj_state_change (struct isis_adjacency *adj, enum isis_adj_state new_state if (circuit->u.bc.is_dr[level - 1]) lsp_regenerate_schedule_pseudo (circuit, level); } + + if (del) + isis_delete_adj (adj); + + adj = NULL; } else if (circuit->circ_type == CIRCUIT_T_P2P) { - for (level = IS_LEVEL_1; adj && level <= IS_LEVEL_2; level++) + del = false; + for (level = IS_LEVEL_1; level <= IS_LEVEL_2; level++) { if ((adj->level & level) == 0) continue; @@ -285,10 +292,14 @@ isis_adj_state_change (struct isis_adjacency *adj, enum isis_adj_state new_state list_delete_all_node (circuit->lsp_queue); } isis_event_adjacency_state_change (adj, new_state); - isis_delete_adj (adj); - adj = NULL; + del = true; } } + + if (del) + isis_delete_adj (adj); + + adj = NULL; } return; |