diff options
| author | David Lamparter <equinox@opensourcerouting.org> | 2013-12-09 16:48:55 +0100 |
|---|---|---|
| committer | David Lamparter <equinox@opensourcerouting.org> | 2014-03-18 08:45:29 +0100 |
| commit | 11b4f01355703d34099d4da145c7d92e32d98636 (patch) | |
| tree | e895a3794edbfe60c481954ed4ad79fcc2b661c3 /ospf6d/ospf6_lsdb.c | |
| parent | ospf6d: handle missing link local address more gracefully (diff) | |
| download | frr-11b4f01355703d34099d4da145c7d92e32d98636.tar.xz frr-11b4f01355703d34099d4da145c7d92e32d98636.zip | |
ospf6d: clear lsa->refresh before clearing LSAs
This fixes a SEGV when we receive a higher-SeqNum copy of a LSA that we
originated ourselves, before a reboot of ospf6d. We create a new
copy of the LSA to resync the SeqNum, but then half an hour later
the old refresh thread ends up trying to refresh the free()'d old LSA.
The SEGV is triggered by this chain:
ospf6_lsdb_maxage_remover
-> thread_execute(ospf6_lsa_refresh)
-> old->refresh = NULL
Which assumes that old->refresh is no longer scheduled to run, as it is
being run right there. But the thread_execute() doesn't know about
old->refresh and therefore didn't remove it.
(Found by ANVL OSPFV3-16.17)
Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
Diffstat (limited to 'ospf6d/ospf6_lsdb.c')
| -rw-r--r-- | ospf6d/ospf6_lsdb.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/ospf6d/ospf6_lsdb.c b/ospf6d/ospf6_lsdb.c index 5138d1c1c..707afc67e 100644 --- a/ospf6d/ospf6_lsdb.c +++ b/ospf6d/ospf6_lsdb.c @@ -473,6 +473,8 @@ ospf6_lsdb_maxage_remover (struct ospf6_lsdb *lsdb) */ lsa->header->seqnum = htonl(OSPF_MAX_SEQUENCE_NUMBER + 1); ospf6_lsa_checksum (lsa->header); + + THREAD_OFF(lsa->refresh); thread_execute (master, ospf6_lsa_refresh, lsa, 0); } else { ospf6_lsdb_remove (lsa, lsdb); |