From 7c20ee06d3deddd6c53fcd5b09c40854c66633ea Mon Sep 17 00:00:00 2001
From: Manoj Naragund <mnaragund@vmware.com>
Date: Thu, 17 Mar 2022 16:58:02 +0530
Subject: [PATCH] ospf6d: crash in ospf6_decrement_retrans_count.

Problem:
ospf6d crash is observed when lsack is received from the neighbour for
AS External LSA.

RCA:
The crash is observed in ospf6_decrement_retrans_count while decrementing
retransmit counter for the LSA when lsack is recived. This is because in
ospf6_flood_interace when new LSA is being added to the neighbour's list
the incrementing is happening on the received LSA instead of the already
present LSA in scope DB which is already carrying counters.

when this new LSA replaces the old one, the already present counters are
not copied on the new LSA this creates counter mismatch which results in
a crash when lsack is recevied due to counter going to negative.

Fix:
The fix involves following changes.
   1. In ospf6_flood_interace when LSA is being added to retrans list
      check if there is alreday lsa in the scoped db and increment
      the counter on that if present.
   2. In ospf6_lsdb_add copy the retrans counter from old to new lsa
      when its being replaced.

Signed-off-by: Manoj Naragund <mnaragund@vmware.com>
---
 ospf6d/ospf6_flood.c | 19 ++++++++++++++++++-
 ospf6d/ospf6_lsdb.c  |  2 ++
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/ospf6d/ospf6_flood.c b/ospf6d/ospf6_flood.c
index 5fed6dfe17..cc82084e5e 100644
--- a/ospf6d/ospf6_flood.c
+++ b/ospf6d/ospf6_flood.c
@@ -464,11 +464,28 @@ void ospf6_flood_interface(struct ospf6_neighbor *from, struct ospf6_lsa *lsa,
 				lsa->header->type, lsa->header->id,
 				lsa->header->adv_router, on->retrans_list);
 			if (!old) {
+				struct ospf6_lsa *orig;
+				struct ospf6_lsdb *lsdb;
+
 				if (is_debug)
 					zlog_debug(
 						"Increment %s from retrans_list of %s",
 						lsa->name, on->name);
-				ospf6_increment_retrans_count(lsa);
+
+				/* Increment the retrans count on the original
+				 * copy of LSA if present, to maintain the
+				 * counter consistency.
+				 */
+
+				lsdb = ospf6_get_scoped_lsdb(lsa);
+				orig = ospf6_lsdb_lookup(
+					lsa->header->type, lsa->header->id,
+					lsa->header->adv_router, lsdb);
+				if (orig)
+					ospf6_increment_retrans_count(orig);
+				else
+					ospf6_increment_retrans_count(lsa);
+
 				ospf6_lsdb_add(ospf6_lsa_copy(lsa),
 					       on->retrans_list);
 				thread_add_timer(
diff --git a/ospf6d/ospf6_lsdb.c b/ospf6d/ospf6_lsdb.c
index 889ab16b11..7a4c49a158 100644
--- a/ospf6d/ospf6_lsdb.c
+++ b/ospf6d/ospf6_lsdb.c
@@ -132,6 +132,8 @@ void ospf6_lsdb_add(struct ospf6_lsa *lsa, struct ospf6_lsdb *lsdb)
 				(*lsdb->hook_add)(lsa);
 		}
 	} else {
+		lsa->retrans_count = old->retrans_count;
+
 		if (OSPF6_LSA_IS_CHANGED(old, lsa)) {
 			if (OSPF6_LSA_IS_MAXAGE(lsa)) {
 				if (lsdb->hook_remove) {