From: Donald Sharp Date: Tue, 26 Jan 2021 13:10:49 +0000 (-0500) Subject: ospf6d: Track wait_timer and disable when needed X-Git-Tag: frr-7.5.1~8^2 X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=1f6785aa60cc57a5c8d5de98c9c09a344a0c9262;p=matthieu%2Ffrr.git ospf6d: Track wait_timer and disable when needed When removing ospfv3 from an interface that has been previously put into wait state, there is a possible use after free of the oi because the wait_timer could have been started for the interface. This is because the wait_timer was not tracked by the interface and we just created a thread for it without storing the thread pointer. Issue: #7932 Signed-off-by: Donald Sharp --- diff --git a/ospf6d/ospf6_interface.c b/ospf6d/ospf6_interface.c index 3a6a9c91c8..2191ff46db 100644 --- a/ospf6d/ospf6_interface.c +++ b/ospf6d/ospf6_interface.c @@ -248,6 +248,7 @@ void ospf6_interface_delete(struct ospf6_interface *oi) THREAD_OFF(oi->thread_send_lsupdate); THREAD_OFF(oi->thread_send_lsack); THREAD_OFF(oi->thread_sso); + THREAD_OFF(oi->thread_wait_timer); ospf6_lsdb_remove_all(oi->lsdb); ospf6_lsdb_remove_all(oi->lsupdate_list); @@ -302,6 +303,7 @@ void ospf6_interface_disable(struct ospf6_interface *oi) THREAD_OFF(oi->thread_link_lsa); THREAD_OFF(oi->thread_intra_prefix_lsa); THREAD_OFF(oi->thread_as_extern_lsa); + THREAD_OFF(oi->thread_wait_timer); } static struct in6_addr * @@ -785,7 +787,7 @@ int interface_up(struct thread *thread) else { ospf6_interface_state_change(OSPF6_INTERFACE_WAITING, oi); thread_add_timer(master, wait_timer, oi, oi->dead_interval, - NULL); + &oi->thread_wait_timer); } return 0; diff --git a/ospf6d/ospf6_interface.h b/ospf6d/ospf6_interface.h index dd7f4d1b1e..6e4692920c 100644 --- a/ospf6d/ospf6_interface.h +++ b/ospf6d/ospf6_interface.h @@ -111,6 +111,7 @@ struct ospf6_interface { struct thread *thread_link_lsa; struct thread *thread_intra_prefix_lsa; struct thread *thread_as_extern_lsa; + struct thread *thread_wait_timer; struct ospf6_route_table *route_connected;