From: David Lamparter Date: Mon, 9 Dec 2013 15:48:55 +0000 (+0100) Subject: ospf6d: clear lsa->refresh before clearing LSAs X-Git-Tag: frr-2.0-rc1~1628^2~1 X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=11b4f01355703d34099d4da145c7d92e32d98636;p=mirror%2Ffrr.git ospf6d: clear lsa->refresh before clearing LSAs This fixes a SEGV when we receive a higher-SeqNum copy of a LSA that we originated ourselves, before a reboot of ospf6d. We create a new copy of the LSA to resync the SeqNum, but then half an hour later the old refresh thread ends up trying to refresh the free()'d old LSA. The SEGV is triggered by this chain: ospf6_lsdb_maxage_remover -> thread_execute(ospf6_lsa_refresh) -> old->refresh = NULL Which assumes that old->refresh is no longer scheduled to run, as it is being run right there. But the thread_execute() doesn't know about old->refresh and therefore didn't remove it. (Found by ANVL OSPFV3-16.17) Signed-off-by: David Lamparter --- diff --git a/ospf6d/ospf6_flood.c b/ospf6d/ospf6_flood.c index dc9ecbfb04..49ed6e265e 100644 --- a/ospf6d/ospf6_flood.c +++ b/ospf6d/ospf6_flood.c @@ -220,6 +220,7 @@ ospf6_install_lsa (struct ospf6_lsa *lsa) if (old) { THREAD_OFF (old->expire); + THREAD_OFF (old->refresh); ospf6_flood_clear (old); } diff --git a/ospf6d/ospf6_lsdb.c b/ospf6d/ospf6_lsdb.c index 5138d1c1cf..707afc67eb 100644 --- a/ospf6d/ospf6_lsdb.c +++ b/ospf6d/ospf6_lsdb.c @@ -473,6 +473,8 @@ ospf6_lsdb_maxage_remover (struct ospf6_lsdb *lsdb) */ lsa->header->seqnum = htonl(OSPF_MAX_SEQUENCE_NUMBER + 1); ospf6_lsa_checksum (lsa->header); + + THREAD_OFF(lsa->refresh); thread_execute (master, ospf6_lsa_refresh, lsa, 0); } else { ospf6_lsdb_remove (lsa, lsdb);