diff options
author | Russ White <russ@riw.us> | 2020-05-21 21:15:07 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-05-21 21:15:07 +0200 |
commit | cb47b207f520ce9450f7b15fc4818b867cbc0c54 (patch) | |
tree | 1a0b9891e85aed6d8cd6d96ee34546b18cdb71ce /ospf6d | |
parent | Merge pull request #6293 from GalaxyGorilla/json_diff (diff) | |
parent | ospf6d: Revert "ospf6d: Prevent use after free" (diff) | |
download | frr-cb47b207f520ce9450f7b15fc4818b867cbc0c54.tar.xz frr-cb47b207f520ce9450f7b15fc4818b867cbc0c54.zip |
Merge pull request #6407 from donaldsharp/revert_ospfv3_fix
ospf6d: Revert "ospf6d: Prevent use after free"
Diffstat (limited to 'ospf6d')
-rw-r--r-- | ospf6d/ospf6_lsdb.c | 15 | ||||
-rw-r--r-- | ospf6d/ospf6_message.c | 44 | ||||
-rw-r--r-- | ospf6d/ospf6_neighbor.c | 31 |
3 files changed, 26 insertions, 64 deletions
diff --git a/ospf6d/ospf6_lsdb.c b/ospf6d/ospf6_lsdb.c index 0a9f1c6f7..b551dbdfa 100644 --- a/ospf6d/ospf6_lsdb.c +++ b/ospf6d/ospf6_lsdb.c @@ -298,17 +298,13 @@ struct ospf6_lsa *ospf6_lsdb_next(const struct route_node *iterend, void ospf6_lsdb_remove_all(struct ospf6_lsdb *lsdb) { - struct ospf6_lsa *lsa, *lsa_next; - const struct route_node *iterend; + struct ospf6_lsa *lsa; if (lsdb == NULL) return; - for (iterend = ospf6_lsdb_head(lsdb, 0, 0, 0, &lsa); lsa; - lsa = lsa_next) { - lsa_next = ospf6_lsdb_next(iterend, lsa); + for (ALL_LSDB(lsdb, lsa)) ospf6_lsdb_remove(lsa, lsdb); - } } void ospf6_lsdb_lsa_unlock(struct ospf6_lsa *lsa) @@ -323,12 +319,9 @@ void ospf6_lsdb_lsa_unlock(struct ospf6_lsa *lsa) int ospf6_lsdb_maxage_remover(struct ospf6_lsdb *lsdb) { int reschedule = 0; - struct ospf6_lsa *lsa, *lsa_next; - const struct route_node *iterend; + struct ospf6_lsa *lsa; - for (iterend = ospf6_lsdb_head(lsdb, 0, 0, 0, &lsa); lsa; - lsa = lsa_next) { - lsa_next = ospf6_lsdb_next(iterend, lsa); + for (ALL_LSDB(lsdb, lsa)) { if (!OSPF6_LSA_IS_MAXAGE(lsa)) continue; if (lsa->retrans_count != 0) { diff --git a/ospf6d/ospf6_message.c b/ospf6d/ospf6_message.c index 31862a229..f891f548a 100644 --- a/ospf6d/ospf6_message.c +++ b/ospf6d/ospf6_message.c @@ -1859,8 +1859,7 @@ int ospf6_dbdesc_send(struct thread *thread) int ospf6_dbdesc_send_newone(struct thread *thread) { struct ospf6_neighbor *on; - struct ospf6_lsa *lsa, *lsa_next; - const struct route_node *iterend; + struct ospf6_lsa *lsa; unsigned int size = 0; on = (struct ospf6_neighbor *)THREAD_ARG(thread); @@ -1870,10 +1869,7 @@ int ospf6_dbdesc_send_newone(struct thread *thread) structure) so that ospf6_send_dbdesc () can send those LSAs */ size = sizeof(struct ospf6_lsa_header) + sizeof(struct ospf6_dbdesc); - - for (iterend = ospf6_lsdb_head(on->summary_list, 0, 0, 0, &lsa); lsa; - lsa = lsa_next) { - lsa_next = ospf6_lsdb_next(iterend, lsa); + for (ALL_LSDB(on->summary_list, lsa)) { if (size + sizeof(struct ospf6_lsa_header) > ospf6_packet_max(on->ospf6_if)) { ospf6_lsdb_lsa_unlock(lsa); @@ -2016,8 +2012,7 @@ int ospf6_lsupdate_send_neighbor(struct thread *thread) struct ospf6_lsupdate *lsupdate; uint8_t *p; int lsa_cnt; - struct ospf6_lsa *lsa, *lsa_next; - const struct route_node *iterend; + struct ospf6_lsa *lsa; on = (struct ospf6_neighbor *)THREAD_ARG(thread); on->thread_send_lsupdate = (struct thread *)NULL; @@ -2042,9 +2037,7 @@ int ospf6_lsupdate_send_neighbor(struct thread *thread) /* lsupdate_list lists those LSA which doesn't need to be retransmitted. remove those from the list */ - for (iterend = ospf6_lsdb_head(on->lsupdate_list, 0, 0, 0, &lsa); lsa; - lsa = lsa_next) { - lsa_next = ospf6_lsdb_next(iterend, lsa); + for (ALL_LSDB(on->lsupdate_list, lsa)) { /* MTU check */ if ((p - sendbuf + (unsigned int)OSPF6_LSA_SIZE(lsa->header)) > ospf6_packet_max(on->ospf6_if)) { @@ -2074,7 +2067,7 @@ int ospf6_lsupdate_send_neighbor(struct thread *thread) p += OSPF6_LSA_SIZE(lsa->header); lsa_cnt++; - assert(lsa->lock == 1); + assert(lsa->lock == 2); ospf6_lsdb_remove(lsa, on->lsupdate_list); } @@ -2201,8 +2194,7 @@ int ospf6_lsupdate_send_interface(struct thread *thread) struct ospf6_lsupdate *lsupdate; uint8_t *p; int lsa_cnt; - struct ospf6_lsa *lsa, *lsa_next; - const struct route_node *iterend; + struct ospf6_lsa *lsa; oi = (struct ospf6_interface *)THREAD_ARG(thread); oi->thread_send_lsupdate = (struct thread *)NULL; @@ -2228,9 +2220,7 @@ int ospf6_lsupdate_send_interface(struct thread *thread) p = (uint8_t *)((caddr_t)lsupdate + sizeof(struct ospf6_lsupdate)); lsa_cnt = 0; - for (iterend = ospf6_lsdb_head(oi->lsupdate_list, 0, 0, 0, &lsa); lsa; - lsa = lsa_next) { - lsa_next = ospf6_lsdb_next(iterend, lsa); + for (ALL_LSDB(oi->lsupdate_list, lsa)) { /* MTU check */ if ((p - sendbuf + ((unsigned int)OSPF6_LSA_SIZE(lsa->header))) > ospf6_packet_max(oi)) { @@ -2264,7 +2254,7 @@ int ospf6_lsupdate_send_interface(struct thread *thread) p += OSPF6_LSA_SIZE(lsa->header); lsa_cnt++; - assert(lsa->lock == 1); + assert(lsa->lock == 2); ospf6_lsdb_remove(lsa, oi->lsupdate_list); } @@ -2290,8 +2280,7 @@ int ospf6_lsack_send_neighbor(struct thread *thread) struct ospf6_neighbor *on; struct ospf6_header *oh; uint8_t *p; - struct ospf6_lsa *lsa, *lsa_next; - const struct route_node *iterend; + struct ospf6_lsa *lsa; int lsa_cnt = 0; on = (struct ospf6_neighbor *)THREAD_ARG(thread); @@ -2314,9 +2303,7 @@ int ospf6_lsack_send_neighbor(struct thread *thread) p = (uint8_t *)((caddr_t)oh + sizeof(struct ospf6_header)); - for (iterend = ospf6_lsdb_head(on->lsack_list, 0, 0, 0, &lsa); lsa; - lsa = lsa_next) { - lsa_next = ospf6_lsdb_next(iterend, lsa); + for (ALL_LSDB(on->lsack_list, lsa)) { /* MTU check */ if (p - sendbuf + sizeof(struct ospf6_lsa_header) > ospf6_packet_max(on->ospf6_if)) { @@ -2344,7 +2331,7 @@ int ospf6_lsack_send_neighbor(struct thread *thread) memcpy(p, lsa->header, sizeof(struct ospf6_lsa_header)); p += sizeof(struct ospf6_lsa_header); - assert(lsa->lock == 1); + assert(lsa->lock == 2); ospf6_lsdb_remove(lsa, on->lsack_list); lsa_cnt++; } @@ -2371,8 +2358,7 @@ int ospf6_lsack_send_interface(struct thread *thread) struct ospf6_interface *oi; struct ospf6_header *oh; uint8_t *p; - struct ospf6_lsa *lsa, *lsa_next; - const struct route_node *iterend; + struct ospf6_lsa *lsa; int lsa_cnt = 0; oi = (struct ospf6_interface *)THREAD_ARG(thread); @@ -2396,9 +2382,7 @@ int ospf6_lsack_send_interface(struct thread *thread) p = (uint8_t *)((caddr_t)oh + sizeof(struct ospf6_header)); - for (iterend = ospf6_lsdb_head(oi->lsack_list, 0, 0, 0, &lsa); lsa; - lsa = lsa_next) { - lsa_next = ospf6_lsdb_next(iterend, lsa); + for (ALL_LSDB(oi->lsack_list, lsa)) { /* MTU check */ if (p - sendbuf + sizeof(struct ospf6_lsa_header) > ospf6_packet_max(oi)) { @@ -2416,7 +2400,7 @@ int ospf6_lsack_send_interface(struct thread *thread) memcpy(p, lsa->header, sizeof(struct ospf6_lsa_header)); p += sizeof(struct ospf6_lsa_header); - assert(lsa->lock == 1); + assert(lsa->lock == 2); ospf6_lsdb_remove(lsa, oi->lsack_list); lsa_cnt++; } diff --git a/ospf6d/ospf6_neighbor.c b/ospf6d/ospf6_neighbor.c index 1e90d4b9b..92a3c9e1a 100644 --- a/ospf6d/ospf6_neighbor.c +++ b/ospf6d/ospf6_neighbor.c @@ -118,15 +118,11 @@ struct ospf6_neighbor *ospf6_neighbor_create(uint32_t router_id, void ospf6_neighbor_delete(struct ospf6_neighbor *on) { - struct ospf6_lsa *lsa, *lsa_next; - const struct route_node *iterend; + struct ospf6_lsa *lsa; ospf6_lsdb_remove_all(on->summary_list); ospf6_lsdb_remove_all(on->request_list); - - for (iterend = ospf6_lsdb_head(on->retrans_list, 0, 0, 0, &lsa); lsa; - lsa = lsa_next) { - lsa_next = ospf6_lsdb_next(iterend, lsa); + for (ALL_LSDB(on->retrans_list, lsa)) { ospf6_decrement_retrans_count(lsa); ospf6_lsdb_remove(lsa, on->retrans_list); } @@ -297,8 +293,7 @@ int twoway_received(struct thread *thread) int negotiation_done(struct thread *thread) { struct ospf6_neighbor *on; - struct ospf6_lsa *lsa, *lsa_next; - const struct route_node *iterend; + struct ospf6_lsa *lsa; on = (struct ospf6_neighbor *)THREAD_ARG(thread); assert(on); @@ -312,10 +307,7 @@ int negotiation_done(struct thread *thread) /* clear ls-list */ ospf6_lsdb_remove_all(on->summary_list); ospf6_lsdb_remove_all(on->request_list); - - for (iterend = ospf6_lsdb_head(on->retrans_list, 0, 0, 0, &lsa); lsa; - lsa = lsa_next) { - lsa_next = ospf6_lsdb_next(iterend, lsa); + for (ALL_LSDB(on->retrans_list, lsa)) { ospf6_decrement_retrans_count(lsa); ospf6_lsdb_remove(lsa, on->retrans_list); } @@ -509,8 +501,7 @@ int seqnumber_mismatch(struct thread *thread) int bad_lsreq(struct thread *thread) { struct ospf6_neighbor *on; - struct ospf6_lsa *lsa, *lsa_next; - const struct route_node *iterend; + struct ospf6_lsa *lsa; on = (struct ospf6_neighbor *)THREAD_ARG(thread); assert(on); @@ -529,10 +520,7 @@ int bad_lsreq(struct thread *thread) ospf6_lsdb_remove_all(on->summary_list); ospf6_lsdb_remove_all(on->request_list); - - for (iterend = ospf6_lsdb_head(on->retrans_list, 0, 0, 0, &lsa); lsa; - lsa = lsa_next) { - lsa_next = ospf6_lsdb_next(iterend, lsa); + for (ALL_LSDB(on->retrans_list, lsa)) { ospf6_decrement_retrans_count(lsa); ospf6_lsdb_remove(lsa, on->retrans_list); } @@ -550,8 +538,7 @@ int bad_lsreq(struct thread *thread) int oneway_received(struct thread *thread) { struct ospf6_neighbor *on; - struct ospf6_lsa *lsa, *lsa_next; - const struct route_node *iterend; + struct ospf6_lsa *lsa; on = (struct ospf6_neighbor *)THREAD_ARG(thread); assert(on); @@ -568,9 +555,7 @@ int oneway_received(struct thread *thread) ospf6_lsdb_remove_all(on->summary_list); ospf6_lsdb_remove_all(on->request_list); - for (iterend = ospf6_lsdb_head(on->retrans_list, 0, 0, 0, &lsa); lsa; - lsa = lsa_next) { - lsa_next = ospf6_lsdb_next(iterend, lsa); + for (ALL_LSDB(on->retrans_list, lsa)) { ospf6_decrement_retrans_count(lsa); ospf6_lsdb_remove(lsa, on->retrans_list); } |