From 7596c208a4cfa853044148dd24ecff8b8f8575e0 Mon Sep 17 00:00:00 2001
From: Quentin Young <qlyoung@cumulusnetworks.com>
Date: Tue, 6 Jun 2017 17:53:48 +0000
Subject: isisd: fix heap uaf

Fix #671

Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>
---
 isisd/isis_adjacency.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'isisd')

diff --git a/isisd/isis_adjacency.c b/isisd/isis_adjacency.c
index f55092487..de1ccaad1 100644
--- a/isisd/isis_adjacency.c
+++ b/isisd/isis_adjacency.c
@@ -212,7 +212,7 @@ isis_adj_state_change (struct isis_adjacency *adj, enum isis_adj_state new_state
 
   if (circuit->circ_type == CIRCUIT_T_BROADCAST)
     {
-      for (level = IS_LEVEL_1; level <= IS_LEVEL_2; level++)
+      for (level = IS_LEVEL_1; adj && level <= IS_LEVEL_2; level++)
       {
         if ((adj->level & level) == 0)
           continue;
@@ -236,6 +236,7 @@ isis_adj_state_change (struct isis_adjacency *adj, enum isis_adj_state new_state
             }
           isis_event_adjacency_state_change (adj, new_state);
           isis_delete_adj (adj);
+          adj = NULL;
         }
 
         if (circuit->u.bc.lan_neighs[level - 1])
@@ -252,7 +253,7 @@ isis_adj_state_change (struct isis_adjacency *adj, enum isis_adj_state new_state
     }
   else if (circuit->circ_type == CIRCUIT_T_P2P)
     {
-      for (level = IS_LEVEL_1; level <= IS_LEVEL_2; level++)
+      for (level = IS_LEVEL_1; adj && level <= IS_LEVEL_2; level++)
       {
         if ((adj->level & level) == 0)
           continue;
@@ -285,6 +286,7 @@ isis_adj_state_change (struct isis_adjacency *adj, enum isis_adj_state new_state
             }
           isis_event_adjacency_state_change (adj, new_state);
           isis_delete_adj (adj);
+          adj = NULL;
         }
       }
     }
-- 
cgit v1.2.3