ospfd: fix uaf upon rx of self-originated lsa

ospf_opaque_self_originated_lsa_received decrements refcount which can result in a free, this is followed by a call to ospf_ls_ack_send which accesses the freed LSA Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>
author: Quentin Young <qlyoung@cumulusnetworks.com> 2020-04-14 07:43:13 +0200
committer: Quentin Young <qlyoung@cumulusnetworks.com> 2020-04-14 07:43:13 +0200
commit: f45be0e1059edad0a181b01855d09009438868f3 (patch)
tree: dc31c4d623614043663d79e6548dc9bcad034a43 /ospfd/ospf_packet.c
parent: Merge pull request #5892 from qlyoung/fix-zclient-many (diff)
download: frr-f45be0e1059edad0a181b01855d09009438868f3.tar.xz
frr-f45be0e1059edad0a181b01855d09009438868f3.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/ospfd/ospf_packet.c b/ospfd/ospf_packet.c
index aa50aeacb..34e5e2a11 100644
--- a/ospfd/ospf_packet.c
+++ b/ospfd/ospf_packet.c
@@ -2038,10 +2038,10 @@ static void ospf_ls_upd(struct ospf *ospf, struct ip *iph,
 
 				SET_FLAG(lsa->flags, OSPF_LSA_SELF);
 
-				ospf_opaque_self_originated_lsa_received(nbr,
-									 lsa);
 				ospf_ls_ack_send(nbr, lsa);
 
+				ospf_opaque_self_originated_lsa_received(nbr,
+									 lsa);
 				continue;
 			}
 		}
author	Quentin Young <qlyoung@cumulusnetworks.com>	2020-04-14 07:43:13 +0200
committer	Quentin Young <qlyoung@cumulusnetworks.com>	2020-04-14 07:43:13 +0200
commit	f45be0e1059edad0a181b01855d09009438868f3 (patch)
tree	dc31c4d623614043663d79e6548dc9bcad034a43 /ospfd/ospf_packet.c
parent	Merge pull request #5892 from qlyoung/fix-zclient-many (diff)
download	frr-f45be0e1059edad0a181b01855d09009438868f3.tar.xz frr-f45be0e1059edad0a181b01855d09009438868f3.zip