spf6d: fix use after free (2) (Coverity 1221459)

Previous fix was incomplete, as calling ospf6_lsa_unlock() frees 'req' but
it does not put it to zero, so it was called ospf6_lsdb_remove() afterwards
even being 'req' already freed.

Signed-off-by: F. Aragon <paco@voltanet.io>

diff --git a/ospf6d/ospf6_flood.c b/ospf6d/ospf6_flood.c
index 2059d8486829c099daf136c1b853df2d8e418fc0..ae26668c8ae8c199230459dd29818fcb20234726 100644 (file)
--- a/ospf6d/ospf6_flood.c
+++ b/ospf6d/ospf6_flood.c
@@ -347,6 +347,7 @@ void ospf6_flood_interface(struct ospf6_neighbor *from, struct ospf6_lsa *lsa,
                                                        "Received is newer, remove requesting");
                                        if (req == on->last_ls_req) {
                                                ospf6_lsa_unlock(req);
+                                               req = NULL;
                                                on->last_ls_req = NULL;
                                        }
                                        if (req)