From: David Lamparter <equinox@opensourcerouting.org>
Date: Mon, 18 Feb 2019 20:34:06 +0000 (+0100)
Subject: isisd: skip over deleted fragments
X-Git-Tag: 7.1_pulled~233^2
X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=0c77e17821fe8d4bef45a5e067402a15d49e1583;p=matthieu%2Ffrr.git

isisd: skip over deleted fragments

Since LSP fragments are also on our lspdb dict, lsp_tick() needs to skip
over them after calling lsp_destroy().  Otherwise it ends up accessing
free'd memory.

Fixes: #3533
Signed-off-by: David Lamparter <equinox@diac24.net>
---

diff --git a/isisd/isis_lsp.c b/isisd/isis_lsp.c
index 658624370b..b56a56fa3f 100644
--- a/isisd/isis_lsp.c
+++ b/isisd/isis_lsp.c
@@ -1930,6 +1930,27 @@ int lsp_tick(struct thread *thread)
 						area->area_tag, lsp->level,
 						rawlspid_print(lsp->hdr.lsp_id),
 						lsp->hdr.seqno);
+
+					/* if we're aging out fragment 0,
+					 * lsp_destroy() below will delete all
+					 * other fragments too, so we need to
+					 * skip over those
+					 */
+					while (!LSP_FRAGMENT(lsp->hdr.lsp_id)
+							&& dnode_next) {
+						struct isis_lsp *nextlsp;
+
+						nextlsp = dnode_get(dnode_next);
+						if (memcmp(nextlsp->hdr.lsp_id,
+							   lsp->hdr.lsp_id,
+							   ISIS_SYS_ID_LEN + 1))
+							break;
+
+						dnode_next = dict_next(
+							area->lspdb[level],
+							dnode_next);
+					}
+
 					lsp_destroy(lsp);
 					lsp = NULL;
 					dict_delete_free(area->lspdb[level],