proxmox-mirrors/mirror_frr
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_frr synced 2025-08-12 09:52:27 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

isisd: fix heap uaf, round 2

Browse Source 
Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>
This commit is contained in:
Quentin Young 2017-06-09 14:53:11 +00:00
parent 7596c208a4
commit 5fe70a7176
1 changed files with 17 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
isisd/isis_adjacency.c
View File

@ -178,6 +178,7 @@ isis_adj_state_change (struct isis_adjacency *adj, enum isis_adj_state new_state
int old_state; int old_state;
int level; int level;
struct isis_circuit *circuit; struct isis_circuit *circuit;
bool del;
old_state = adj->adj_state; old_state = adj->adj_state;
adj->adj_state = new_state; adj->adj_state = new_state;
@ -212,7 +213,8 @@ isis_adj_state_change (struct isis_adjacency *adj, enum isis_adj_state new_state
if (circuit->circ_type == CIRCUIT_T_BROADCAST) if (circuit->circ_type == CIRCUIT_T_BROADCAST)
{ {
for (level = IS_LEVEL_1; adj && level <= IS_LEVEL_2; level++) del = false;
for (level = IS_LEVEL_1; level <= IS_LEVEL_2; level++)
{ {
if ((adj->level & level) == 0) if ((adj->level & level) == 0)
continue; continue;
@ -235,8 +237,7 @@ isis_adj_state_change (struct isis_adjacency *adj, enum isis_adj_state new_state
list_delete_all_node (circuit->lsp_queue); list_delete_all_node (circuit->lsp_queue);
} }
isis_event_adjacency_state_change (adj, new_state); isis_event_adjacency_state_change (adj, new_state);
isis_delete_adj (adj); del = true;
adj = NULL;
} }
if (circuit->u.bc.lan_neighs[level - 1]) if (circuit->u.bc.lan_neighs[level - 1])
@ -250,10 +251,16 @@ isis_adj_state_change (struct isis_adjacency *adj, enum isis_adj_state new_state
if (circuit->u.bc.is_dr[level - 1]) if (circuit->u.bc.is_dr[level - 1])
lsp_regenerate_schedule_pseudo (circuit, level); lsp_regenerate_schedule_pseudo (circuit, level);
} }
if (del)
isis_delete_adj (adj);
adj = NULL;
} }
else if (circuit->circ_type == CIRCUIT_T_P2P) else if (circuit->circ_type == CIRCUIT_T_P2P)
{ {
for (level = IS_LEVEL_1; adj && level <= IS_LEVEL_2; level++) del = false;
for (level = IS_LEVEL_1; level <= IS_LEVEL_2; level++)
{ {
if ((adj->level & level) == 0) if ((adj->level & level) == 0)
continue; continue;
@ -285,10 +292,14 @@ isis_adj_state_change (struct isis_adjacency *adj, enum isis_adj_state new_state
list_delete_all_node (circuit->lsp_queue); list_delete_all_node (circuit->lsp_queue);
} }
isis_event_adjacency_state_change (adj, new_state); isis_event_adjacency_state_change (adj, new_state);
isis_delete_adj (adj); del = true;
adj = NULL;
} }
} }
if (del)
isis_delete_adj (adj);
adj = NULL;
} }
return; return;