Merge pull request #16809 from louis-6wind/fix-rcap-double-free

isisd: fix rcap tlv double-free crash
2025-07-27 11:44:16 +00:00 · 2024-09-17 08:33:43 -04:00 · 2024-09-17 08:33:43 -04:00 · ade993b629
commit ade993b629
parent f436b8668b cfd050a0e5
2 changed files with 8 additions and 9 deletions
--- a/isisd/isis_tlvs.c
+++ b/isisd/isis_tlvs.c
@ -6147,16 +6147,17 @@ static int unpack_tlv_router_cap(enum isis_tlv_context context,
 		return 0;
 	}
-	if (tlvs->router_cap)
+	if (!tlvs->router_cap) {
-		/* Multiple Router Capability found */
+		/* First Router Capability TLV.
-		rcap = tlvs->router_cap;
+		 * Allocate router cap structure and initialize SR Algorithms */
-	else {
+		tlvs->router_cap = XCALLOC(MTYPE_ISIS_TLV,
-		/* Allocate router cap structure and initialize SR Algorithms */
+					   sizeof(struct isis_router_cap));
 		rcap = XCALLOC(MTYPE_ISIS_TLV, sizeof(struct isis_router_cap));
 		for (int i = 0; i < SR_ALGORITHM_COUNT; i++)
-			rcap->algo[i] = SR_ALGORITHM_UNSET;
+			tlvs->router_cap->algo[i] = SR_ALGORITHM_UNSET;
 	}
 	rcap = tlvs->router_cap;
 	/* Get Router ID and Flags */
 	rcap->router_id.s_addr = stream_get_ipv4(s);
 	rcap->flags = stream_getc(s);
@ -6178,7 +6179,6 @@ static int unpack_tlv_router_cap(enum isis_tlv_context context,
 				log, indent,
 				"WARNING: Router Capability subTLV length too large compared to expected size\n");
 			stream_forward_getp(s, STREAM_READABLE(s));
 			XFREE(MTYPE_ISIS_TLV, rcap);
 			return 0;
 		}
@ -6489,7 +6489,6 @@ static int unpack_tlv_router_cap(enum isis_tlv_context context,
 		}
 		subtlv_len = subtlv_len - length - 2;
 	}
 	tlvs->router_cap = rcap;
 	return 0;
 }
--- a/tests/isisd/test_fuzz_isis_tlv_tests.h.gz
+++ b/tests/isisd/test_fuzz_isis_tlv_tests.h.gz