diff options
| author | Quentin Young <qlyoung@cumulusnetworks.com> | 2017-05-22 04:12:05 +0200 |
|---|---|---|
| committer | Quentin Young <qlyoung@cumulusnetworks.com> | 2017-05-22 04:14:29 +0200 |
| commit | 8f599166fb5896224d5b0ec835be4e6b8c496d3e (patch) | |
| tree | aa1d9086f87d440d6a5942dd347e6d48385fd149 /ospf6d | |
| parent | pimd: Fix indentation issue that is causing clang unhappiness (diff) | |
| download | frr-8f599166fb5896224d5b0ec835be4e6b8c496d3e.tar.xz frr-8f599166fb5896224d5b0ec835be4e6b8c496d3e.zip | |
ospf6d: fix use-after-free
ospf6_route_remove may free the ospf6_route passed to it if the refcount
reaches zero, in which case zeroing the ->flag field constitutes a uaf
Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>
Diffstat (limited to 'ospf6d')
| -rw-r--r-- | ospf6d/ospf6_intra.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/ospf6d/ospf6_intra.c b/ospf6d/ospf6_intra.c index 646196385..5dd10b4c7 100644 --- a/ospf6d/ospf6_intra.c +++ b/ospf6d/ospf6_intra.c @@ -1455,13 +1455,14 @@ ospf6_intra_route_calculation (struct ospf6_area *oa) { if (hook_add) (*hook_add) (route); + route->flag = 0; } else { /* Redo the summaries as things might have changed */ ospf6_abr_originate_summary (route); + route->flag = 0; } - route->flag = 0; } if (IS_OSPF6_DEBUG_EXAMIN (INTRA_PREFIX)) |