isisd: skip over deleted fragments

Since LSP fragments are also on our lspdb dict, lsp_tick() needs to skip
over them after calling lsp_destroy().  Otherwise it ends up accessing
free'd memory.

Fixes: #3533
Signed-off-by: David Lamparter <equinox@diac24.net>

diff --git a/isisd/isis_lsp.c b/isisd/isis_lsp.c
index 658624370b9ed0a3af7b5768779051ef03aa3866..b56a56fa3ffd827f3a373ed4460185c692860f9c 100644 (file)
--- a/isisd/isis_lsp.c
+++ b/isisd/isis_lsp.c
@@ -1930,6 +1930,27 @@ int lsp_tick(struct thread *thread)
                                                area->area_tag, lsp->level,
                                                rawlspid_print(lsp->hdr.lsp_id),
                                                lsp->hdr.seqno);
+
+                                       /* if we're aging out fragment 0,
+                                        * lsp_destroy() below will delete all
+                                        * other fragments too, so we need to
+                                        * skip over those
+                                        */
+                                       while (!LSP_FRAGMENT(lsp->hdr.lsp_id)
+                                                       && dnode_next) {
+                                               struct isis_lsp *nextlsp;
+
+                                               nextlsp = dnode_get(dnode_next);
+                                               if (memcmp(nextlsp->hdr.lsp_id,
+                                                          lsp->hdr.lsp_id,
+                                                          ISIS_SYS_ID_LEN + 1))
+                                                       break;
+
+                                               dnode_next = dict_next(
+                                                       area->lspdb[level],
+                                                       dnode_next);
+                                       }
+
                                        lsp_destroy(lsp);
                                        lsp = NULL;
                                        dict_delete_free(area->lspdb[level],