isisd: fix heap uaf, round 2

author Quentin Young <qlyoung@cumulusnetworks.com>

Fri, 9 Jun 2017 14:53:11 +0000 (14:53 +0000)

committer Quentin Young <qlyoung@cumulusnetworks.com>

Fri, 9 Jun 2017 14:53:11 +0000 (14:53 +0000)
author Quentin Young <qlyoung@cumulusnetworks.com>
Fri, 9 Jun 2017 14:53:11 +0000 (14:53 +0000)
committer Quentin Young <qlyoung@cumulusnetworks.com>
Fri, 9 Jun 2017 14:53:11 +0000 (14:53 +0000)
diff --git a/isisd/isis_adjacency.c b/isisd/isis_adjacency.c

index de1ccaad138c4b6bc4a453c33289e767bfa01ef7..3821930927e94eea8d984e94af8b40f4b4aee7ab 100644 (file)
--- a/isisd/isis_adjacency.c
+++ b/isisd/isis_adjacency.c
@@ -178,6 +178,7 @@ isis_adj_state_change (struct isis_adjacency *adj, enum isis_adj_state new_state
    int old_state;
    int level;
    struct isis_circuit *circuit;
+  bool del;
  
    old_state = adj->adj_state;
    adj->adj_state = new_state;
@@ -212,7 +213,8 @@ isis_adj_state_change (struct isis_adjacency *adj, enum isis_adj_state new_state
  
    if (circuit->circ_type == CIRCUIT_T_BROADCAST)
      {
-      for (level = IS_LEVEL_1; adj && level <= IS_LEVEL_2; level++)
+      del = false;
+      for (level = IS_LEVEL_1; level <= IS_LEVEL_2; level++)
        {
          if ((adj->level & level) == 0)
            continue;
@@ -235,8 +237,7 @@ isis_adj_state_change (struct isis_adjacency *adj, enum isis_adj_state new_state
                  list_delete_all_node (circuit->lsp_queue);
              }
            isis_event_adjacency_state_change (adj, new_state);
-          isis_delete_adj (adj);
-          adj = NULL;
+          del = true;
          }
  
          if (circuit->u.bc.lan_neighs[level - 1])
@@ -250,10 +251,16 @@ isis_adj_state_change (struct isis_adjacency *adj, enum isis_adj_state new_state
          if (circuit->u.bc.is_dr[level - 1])
            lsp_regenerate_schedule_pseudo (circuit, level);
        }
+
+      if (del)
+        isis_delete_adj (adj);
+
+      adj = NULL;
      }
    else if (circuit->circ_type == CIRCUIT_T_P2P)
      {
-      for (level = IS_LEVEL_1; adj && level <= IS_LEVEL_2; level++)
+      del = false;
+      for (level = IS_LEVEL_1; level <= IS_LEVEL_2; level++)
        {
          if ((adj->level & level) == 0)
            continue;
@@ -285,10 +292,14 @@ isis_adj_state_change (struct isis_adjacency *adj, enum isis_adj_state new_state
                  list_delete_all_node (circuit->lsp_queue);
              }
            isis_event_adjacency_state_change (adj, new_state);
-          isis_delete_adj (adj);
-          adj = NULL;
+          del = true;
          }
        }
+
+      if (del)
+        isis_delete_adj (adj);
+
+      adj = NULL;
      }
  
    return;
author	Quentin Young <qlyoung@cumulusnetworks.com>
	Fri, 9 Jun 2017 14:53:11 +0000 (14:53 +0000)
committer	Quentin Young <qlyoung@cumulusnetworks.com>
	Fri, 9 Jun 2017 14:53:11 +0000 (14:53 +0000)