proxmox-mirrors/mirror_frr
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_frr synced 2025-08-12 09:52:27 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

isisd: fix heap uaf, round 2

Browse Source 
Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>
This commit is contained in:
Quentin Young 2017-06-09 14:53:11 +00:00
parent 7596c208a4
commit 5fe70a7176
1 changed files with 17 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
isisd/isis_adjacency.c
View File

@ -178,6 +178,7 @@ isis_adj_state_change (struct isis_adjacency *adj, enum isis_adj_state new_state
int old_state;
int level;
struct isis_circuit *circuit;
bool del;
old_state = adj->adj_state;
adj->adj_state = new_state;
@ -212,7 +213,8 @@ isis_adj_state_change (struct isis_adjacency *adj, enum isis_adj_state new_state
if (circuit->circ_type == CIRCUIT_T_BROADCAST)
{
for (level = IS_LEVEL_1; adj && level <= IS_LEVEL_2; level++)
del = false;
for (level = IS_LEVEL_1; level <= IS_LEVEL_2; level++)
{
if ((adj->level & level) == 0)
continue;
@ -235,8 +237,7 @@ isis_adj_state_change (struct isis_adjacency *adj, enum isis_adj_state new_state
list_delete_all_node (circuit->lsp_queue);
}
isis_event_adjacency_state_change (adj, new_state);
isis_delete_adj (adj);
adj = NULL;
del = true;
}
if (circuit->u.bc.lan_neighs[level - 1])
@ -250,10 +251,16 @@ isis_adj_state_change (struct isis_adjacency *adj, enum isis_adj_state new_state
if (circuit->u.bc.is_dr[level - 1])
lsp_regenerate_schedule_pseudo (circuit, level);
}
if (del)
isis_delete_adj (adj);
adj = NULL;
}
else if (circuit->circ_type == CIRCUIT_T_P2P)
{
for (level = IS_LEVEL_1; adj && level <= IS_LEVEL_2; level++)
del = false;
for (level = IS_LEVEL_1; level <= IS_LEVEL_2; level++)
{
if ((adj->level & level) == 0)
continue;
@ -285,10 +292,14 @@ isis_adj_state_change (struct isis_adjacency *adj, enum isis_adj_state new_state
list_delete_all_node (circuit->lsp_queue);
}
isis_event_adjacency_state_change (adj, new_state);
isis_delete_adj (adj);
adj = NULL;
del = true;
}
}
if (del)
isis_delete_adj (adj);
adj = NULL;
}
return;