proxmox-mirrors/mirror_frr
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_frr synced 2025-08-14 00:18:53 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

ospfd: Function order caused use after free.

Browse Source 
The opaque lsa that we are storing is stored on various
lists depending on it's type.  This removal from the
list was being done *after* the pointer was freed.  This
is not a good idea.  Since the use after free was just
removal from a linked list and the freeing function does
not do anything other than free data, than just switching the function
order should be sufficient.

Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
This commit is contained in:
Donald Sharp 2019-11-11 10:17:31 -05:00
parent a5f271c635
commit ae82bb756b
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ospfd/ospf_opaque.c
View File

@ -430,9 +430,9 @@ void ospf_delete_opaque_functab(uint8_t lsa_type, uint8_t opaque_type)
/* Cleanup internal control information, if it
* still remains. */
if (functab->oipt != NULL) {
free_opaque_info_owner(functab->oipt);
free_opaque_info_per_type(
functab->oipt);
free_opaque_info_owner(functab->oipt);
}
/* Dequeue listnode entry from the list. */
@ -554,8 +554,8 @@ register_opaque_info_per_type(struct ospf_opaque_functab *functab,
case OSPF_OPAQUE_AS_LSA:
top = ospf_lookup_by_vrf_id(new->vrf_id);
if (new->area != NULL && (top = new->area->ospf) == NULL) {
free_opaque_info_per_type((void *)oipt);
free_opaque_info_owner(oipt);
free_opaque_info_per_type(oipt);
oipt = NULL;
goto out; /* This case may not exist. */
}
@ -567,8 +567,8 @@ register_opaque_info_per_type(struct ospf_opaque_functab *functab,
EC_OSPF_LSA_UNEXPECTED,
"register_opaque_info_per_type: Unexpected LSA-type(%u)",
new->data->type);
free_opaque_info_per_type((void *)oipt);
free_opaque_info_owner(oipt);
free_opaque_info_per_type(oipt);
oipt = NULL;
goto out; /* This case may not exist. */
}