From: paco <paco@voltanet.io>
Date: Wed, 20 Jun 2018 16:09:35 +0000 (+0200)
Subject: spf6d: fix use after free (2) (Coverity 1221459)
X-Git-Tag: frr-6.1-dev~267^2
X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=7edb6aa5834437b6cf6850b4de1684841f0e88f2;p=matthieu%2Ffrr.git

spf6d: fix use after free (2) (Coverity 1221459)

Previous fix was incomplete, as calling ospf6_lsa_unlock() frees 'req' but
it does not put it to zero, so it was called ospf6_lsdb_remove() afterwards
even being 'req' already freed.

Signed-off-by: F. Aragon <paco@voltanet.io>
---

diff --git a/ospf6d/ospf6_flood.c b/ospf6d/ospf6_flood.c
index 2059d84868..ae26668c8a 100644
--- a/ospf6d/ospf6_flood.c
+++ b/ospf6d/ospf6_flood.c
@@ -347,6 +347,7 @@ void ospf6_flood_interface(struct ospf6_neighbor *from, struct ospf6_lsa *lsa,
 							"Received is newer, remove requesting");
 					if (req == on->last_ls_req) {
 						ospf6_lsa_unlock(req);
+						req = NULL;
 						on->last_ls_req = NULL;
 					}
 					if (req)