From 1f6785aa60cc57a5c8d5de98c9c09a344a0c9262 Mon Sep 17 00:00:00 2001 From: Donald Sharp Date: Tue, 26 Jan 2021 08:10:49 -0500 Subject: [PATCH] ospf6d: Track wait_timer and disable when needed When removing ospfv3 from an interface that has been previously put into wait state, there is a possible use after free of the oi because the wait_timer could have been started for the interface. This is because the wait_timer was not tracked by the interface and we just created a thread for it without storing the thread pointer. Issue: #7932 Signed-off-by: Donald Sharp --- ospf6d/ospf6_interface.c | 4 +++- ospf6d/ospf6_interface.h | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/ospf6d/ospf6_interface.c b/ospf6d/ospf6_interface.c index 3a6a9c91c8..2191ff46db 100644 --- a/ospf6d/ospf6_interface.c +++ b/ospf6d/ospf6_interface.c @@ -248,6 +248,7 @@ void ospf6_interface_delete(struct ospf6_interface *oi) THREAD_OFF(oi->thread_send_lsupdate); THREAD_OFF(oi->thread_send_lsack); THREAD_OFF(oi->thread_sso); + THREAD_OFF(oi->thread_wait_timer); ospf6_lsdb_remove_all(oi->lsdb); ospf6_lsdb_remove_all(oi->lsupdate_list); @@ -302,6 +303,7 @@ void ospf6_interface_disable(struct ospf6_interface *oi) THREAD_OFF(oi->thread_link_lsa); THREAD_OFF(oi->thread_intra_prefix_lsa); THREAD_OFF(oi->thread_as_extern_lsa); + THREAD_OFF(oi->thread_wait_timer); } static struct in6_addr * @@ -785,7 +787,7 @@ int interface_up(struct thread *thread) else { ospf6_interface_state_change(OSPF6_INTERFACE_WAITING, oi); thread_add_timer(master, wait_timer, oi, oi->dead_interval, - NULL); + &oi->thread_wait_timer); } return 0; diff --git a/ospf6d/ospf6_interface.h b/ospf6d/ospf6_interface.h index dd7f4d1b1e..6e4692920c 100644 --- a/ospf6d/ospf6_interface.h +++ b/ospf6d/ospf6_interface.h @@ -111,6 +111,7 @@ struct ospf6_interface { struct thread *thread_link_lsa; struct thread *thread_intra_prefix_lsa; struct thread *thread_as_extern_lsa; + struct thread *thread_wait_timer; struct ospf6_route_table *route_connected; -- 2.39.5