From 7de6a87b55705fe61dfcf7758d7ac9ec463bd2b4 Mon Sep 17 00:00:00 2001 From: Quentin Young Date: Tue, 6 Jun 2017 15:47:09 +0000 Subject: [PATCH] ospf6d: fix heap uaf Fix #667 Signed-off-by: Quentin Young --- ospf6d/ospf6_intra.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/ospf6d/ospf6_intra.c b/ospf6d/ospf6_intra.c index 5dd10b4c72..80e67ea2a9 100644 --- a/ospf6d/ospf6_intra.c +++ b/ospf6d/ospf6_intra.c @@ -1621,6 +1621,7 @@ ospf6_intra_brouter_calculation (struct ospf6_area *oa) zlog_info ("brouter %s disappears via area %s", brouter_name, oa->name); ospf6_route_remove (brouter, oa->ospf6->brouter_table); + brouter = NULL; } else if (CHECK_FLAG (brouter->flag, OSPF6_ROUTE_ADD) || CHECK_FLAG (brouter->flag, OSPF6_ROUTE_CHANGE)) @@ -1644,8 +1645,12 @@ ospf6_intra_brouter_calculation (struct ospf6_area *oa) /* But re-originate summaries */ ospf6_abr_originate_summary (brouter); } - UNSET_FLAG (brouter->flag, OSPF6_ROUTE_ADD); - UNSET_FLAG (brouter->flag, OSPF6_ROUTE_CHANGE); + + if (brouter) + { + UNSET_FLAG (brouter->flag, OSPF6_ROUTE_ADD); + UNSET_FLAG (brouter->flag, OSPF6_ROUTE_CHANGE); + } } if (IS_OSPF6_DEBUG_BROUTER_SPECIFIC_AREA_ID (oa->area_id))