From 7edb6aa5834437b6cf6850b4de1684841f0e88f2 Mon Sep 17 00:00:00 2001
From: paco <paco@voltanet.io>
Date: Wed, 20 Jun 2018 18:09:35 +0200
Subject: [PATCH] spf6d: fix use after free (2) (Coverity 1221459)

Previous fix was incomplete, as calling ospf6_lsa_unlock() frees 'req' but
it does not put it to zero, so it was called ospf6_lsdb_remove() afterwards
even being 'req' already freed.

Signed-off-by: F. Aragon <paco@voltanet.io>
---
 ospf6d/ospf6_flood.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ospf6d/ospf6_flood.c b/ospf6d/ospf6_flood.c
index 2059d84868..ae26668c8a 100644
--- a/ospf6d/ospf6_flood.c
+++ b/ospf6d/ospf6_flood.c
@@ -347,6 +347,7 @@ void ospf6_flood_interface(struct ospf6_neighbor *from, struct ospf6_lsa *lsa,
 							"Received is newer, remove requesting");
 					if (req == on->last_ls_req) {
 						ospf6_lsa_unlock(req);
+						req = NULL;
 						on->last_ls_req = NULL;
 					}
 					if (req)
-- 
2.39.5