From 8f599166fb5896224d5b0ec835be4e6b8c496d3e Mon Sep 17 00:00:00 2001
From: Quentin Young <qlyoung@cumulusnetworks.com>
Date: Mon, 22 May 2017 02:12:05 +0000
Subject: [PATCH] ospf6d: fix use-after-free

ospf6_route_remove may free the ospf6_route passed to it if the refcount
reaches zero, in which case zeroing the ->flag field constitutes a uaf

Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>
---
 ospf6d/ospf6_intra.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ospf6d/ospf6_intra.c b/ospf6d/ospf6_intra.c
index 6461963856..5dd10b4c72 100644
--- a/ospf6d/ospf6_intra.c
+++ b/ospf6d/ospf6_intra.c
@@ -1455,13 +1455,14 @@ ospf6_intra_route_calculation (struct ospf6_area *oa)
         {
           if (hook_add)
             (*hook_add) (route);
+          route->flag = 0;
         }
       else
 	{
 	  /* Redo the summaries as things might have changed */
 	  ospf6_abr_originate_summary (route);
+	  route->flag = 0;
 	}
-      route->flag = 0;
     }
 
   if (IS_OSPF6_DEBUG_EXAMIN (INTRA_PREFIX))