ospf6d: clear lsa->refresh before clearing LSAs

This fixes a SEGV when we receive a higher-SeqNum copy of a LSA that we
originated ourselves, before a reboot of ospf6d.  We create a new
copy of the LSA to resync the SeqNum, but then half an hour later
the old refresh thread ends up trying to refresh the free()'d old LSA.

The SEGV is triggered by this chain:
  ospf6_lsdb_maxage_remover
  -> thread_execute(ospf6_lsa_refresh)
     -> old->refresh = NULL
Which assumes that old->refresh is no longer scheduled to run, as it is
being run right there.  But the thread_execute() doesn't know about
old->refresh and therefore didn't remove it.

(Found by ANVL OSPFV3-16.17)

Signed-off-by: David Lamparter <equinox@opensourcerouting.org>

diff --git a/ospf6d/ospf6_flood.c b/ospf6d/ospf6_flood.c
index dc9ecbfb04ef40436b9867c3993bfd599a384d07..49ed6e265e14514b16856899564ff1979f9c0824 100644 (file)
--- a/ospf6d/ospf6_flood.c
+++ b/ospf6d/ospf6_flood.c
@@ -220,6 +220,7 @@ ospf6_install_lsa (struct ospf6_lsa *lsa)
   if (old)
     {
       THREAD_OFF (old->expire);
+      THREAD_OFF (old->refresh);
       ospf6_flood_clear (old);
     }
 

diff --git a/ospf6d/ospf6_lsdb.c b/ospf6d/ospf6_lsdb.c
index 5138d1c1cfdeb137e0f4bc956522c12cbc3246c5..707afc67eb0fb6d4c19c3aecf4ed1e440504c448 100644 (file)
--- a/ospf6d/ospf6_lsdb.c
+++ b/ospf6d/ospf6_lsdb.c
@@ -473,6 +473,8 @@ ospf6_lsdb_maxage_remover (struct ospf6_lsdb *lsdb)
          */
         lsa->header->seqnum = htonl(OSPF_MAX_SEQUENCE_NUMBER + 1);
         ospf6_lsa_checksum (lsa->header);
+
+       THREAD_OFF(lsa->refresh);
         thread_execute (master, ospf6_lsa_refresh, lsa, 0);
       } else {
         ospf6_lsdb_remove (lsa, lsdb);