From: Acee Lindem <acee@lindem.com>
Date: Mon, 24 Feb 2025 21:44:32 +0000 (+0000)
Subject: ospf6d: Fix use after free of router in OSPFv3 ABR route calculation.
X-Git-Tag: docker/10.2.2~4^2
X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=0d7236c2d279d95a83e71ead532ee86b9e0d9fe8;p=matthieu%2Ffrr.git

ospf6d: Fix use after free of router in OSPFv3 ABR route calculation.

This PR fixes FRR issue https://github.com/FRRouting/frr/issues/18040. The
OSPFv3 route is locked during the ABR calculation since there are
scenarios under which it is freed. The OSPFv3 ABR computation is
sub-optimal and this PR doesn't attempt to rework it.

Signed-off-by: Acee Lindem <acee@lindem.com>
(cherry picked from commit 06af50eacec8660fada0d4fd5cd11f0ade4e3c6c)
---

diff --git a/ospf6d/ospf6_intra.c b/ospf6d/ospf6_intra.c
index 324cd7abe8..23a5ec0695 100644
--- a/ospf6d/ospf6_intra.c
+++ b/ospf6d/ospf6_intra.c
@@ -2194,9 +2194,15 @@ void ospf6_intra_brouter_calculation(struct ospf6_area *oa)
 				zlog_info("%s: brouter %s appears via area %s",
 					  __func__, brouter_name, oa->name);
 
+			ospf6_route_lock(brouter);
 			/* newly added */
 			if (hook_add)
 				(*hook_add)(brouter);
+			if (CHECK_FLAG(brouter->flag, OSPF6_ROUTE_WAS_REMOVED)) {
+				ospf6_route_unlock(brouter);
+				brouter = NULL;
+			} else
+				ospf6_route_unlock(brouter);
 		} else {
 			if (IS_OSPF6_DEBUG_BROUTER_SPECIFIC_ROUTER_ID(
 				    brouter_id)