From: Quentin Young <qlyoung@cumulusnetworks.com>
Date: Tue, 6 Jun 2017 15:47:09 +0000 (+0000)
Subject: ospf6d: fix heap uaf
X-Git-Tag: reindent-master-before~72^2^2~4
X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=7de6a87b55705fe61dfcf7758d7ac9ec463bd2b4;p=mirror%2Ffrr.git

ospf6d: fix heap uaf

Fix #667

Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>
---

diff --git a/ospf6d/ospf6_intra.c b/ospf6d/ospf6_intra.c
index 5dd10b4c72..80e67ea2a9 100644
--- a/ospf6d/ospf6_intra.c
+++ b/ospf6d/ospf6_intra.c
@@ -1621,6 +1621,7 @@ ospf6_intra_brouter_calculation (struct ospf6_area *oa)
             zlog_info ("brouter %s disappears via area %s",
                        brouter_name, oa->name);
           ospf6_route_remove (brouter, oa->ospf6->brouter_table);
+          brouter = NULL;
         }
       else if (CHECK_FLAG (brouter->flag, OSPF6_ROUTE_ADD) ||
                CHECK_FLAG (brouter->flag, OSPF6_ROUTE_CHANGE))
@@ -1644,8 +1645,12 @@ ospf6_intra_brouter_calculation (struct ospf6_area *oa)
           /* But re-originate summaries */
 	  ospf6_abr_originate_summary (brouter);
         }
-      UNSET_FLAG (brouter->flag, OSPF6_ROUTE_ADD);
-      UNSET_FLAG (brouter->flag, OSPF6_ROUTE_CHANGE);
+
+      if (brouter)
+        {
+          UNSET_FLAG (brouter->flag, OSPF6_ROUTE_ADD);
+          UNSET_FLAG (brouter->flag, OSPF6_ROUTE_CHANGE);
+        }
     }
 
   if (IS_OSPF6_DEBUG_BROUTER_SPECIFIC_AREA_ID (oa->area_id))