]> git.puffer.fish Git - matthieu/frr.git/commitdiff
projects / matthieu / frr.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1b0f1cb)
ospfd: fix uaf upon rx of self-originated lsa
authorQuentin Young <qlyoung@cumulusnetworks.com>
Tue, 14 Apr 2020 05:43:13 +0000 (01:43 -0400)
committerQuentin Young <qlyoung@cumulusnetworks.com>
Tue, 14 Apr 2020 05:43:13 +0000 (01:43 -0400)
ospf_opaque_self_originated_lsa_received decrements refcount which can
result in a free, this is followed by a call to ospf_ls_ack_send which
accesses the freed LSA

Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>
ospfd/ospf_packet.c patch | blob | history

diff --git a/ospfd/ospf_packet.c b/ospfd/ospf_packet.c
index aa50aeacbc634382e6463f35679b4e6c838ca622..34e5e2a11e31851221ea39e783345173a6e23a38 100644 (file)
--- a/ospfd/ospf_packet.c
+++ b/ospfd/ospf_packet.c
@@ -2038,10 +2038,10 @@ static void ospf_ls_upd(struct ospf *ospf, struct ip *iph,
 
                                SET_FLAG(lsa->flags, OSPF_LSA_SELF);
 
-                               ospf_opaque_self_originated_lsa_received(nbr,
-                                                                        lsa);
                                ospf_ls_ack_send(nbr, lsa);
 
+                               ospf_opaque_self_originated_lsa_received(nbr,
+                                                                        lsa);
                                continue;
                        }
                }
Unnamed repository; edit this file 'description' to name the repository.