]> git.proxmox.com Git - mirror_frr.git/commitdiff
projects / mirror_frr.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a5f271c)
ospfd: Function order caused use after free.
authorDonald Sharp <sharpd@cumulusnetworks.com>
Mon, 11 Nov 2019 15:17:31 +0000 (10:17 -0500)
committerDonald Sharp <sharpd@cumulusnetworks.com>
Mon, 11 Nov 2019 15:17:31 +0000 (10:17 -0500)
The opaque lsa that we are storing is stored on various
lists depending on it's type.  This removal from the
list was being done *after* the pointer was freed.  This
is not a good idea.  Since the use after free was just
removal from a linked list and the freeing function does
not do anything other than free data, than just switching the function
order should be sufficient.

Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
ospfd/ospf_opaque.c patch | blob | blame | history

diff --git a/ospfd/ospf_opaque.c b/ospfd/ospf_opaque.c
index 147773ce235ecb1c66410286110d5308676cad7c..a989b8468cc6b90862ae5d07774249e983e70a5b 100644 (file)
--- a/ospfd/ospf_opaque.c
+++ b/ospfd/ospf_opaque.c
@@ -430,9 +430,9 @@ void ospf_delete_opaque_functab(uint8_t lsa_type, uint8_t opaque_type)
                                /* Cleanup internal control information, if it
                                 * still remains. */
                                if (functab->oipt != NULL) {
+                                       free_opaque_info_owner(functab->oipt);
                                        free_opaque_info_per_type(
                                                functab->oipt);
-                                       free_opaque_info_owner(functab->oipt);
                                }
 
                                /* Dequeue listnode entry from the list. */
@@ -554,8 +554,8 @@ register_opaque_info_per_type(struct ospf_opaque_functab *functab,
        case OSPF_OPAQUE_AS_LSA:
                top = ospf_lookup_by_vrf_id(new->vrf_id);
                if (new->area != NULL && (top = new->area->ospf) == NULL) {
-                       free_opaque_info_per_type((void *)oipt);
                        free_opaque_info_owner(oipt);
+                       free_opaque_info_per_type(oipt);
                        oipt = NULL;
                        goto out; /* This case may not exist. */
                }
@@ -567,8 +567,8 @@ register_opaque_info_per_type(struct ospf_opaque_functab *functab,
                        EC_OSPF_LSA_UNEXPECTED,
                        "register_opaque_info_per_type: Unexpected LSA-type(%u)",
                        new->data->type);
-               free_opaque_info_per_type((void *)oipt);
                free_opaque_info_owner(oipt);
+               free_opaque_info_per_type(oipt);
                oipt = NULL;
                goto out; /* This case may not exist. */
        }
FRRouting mirror