From 99512b83ab19995174e7c05e22b194ce2360a964 Mon Sep 17 00:00:00 2001 From: Igor Ryzhov Date: Tue, 14 Dec 2021 16:28:08 +0300 Subject: [PATCH] isisd: fix use after free Pointers to the adjacency must be cleared only when the adjacency is deleted. Otherwise, when the ISIS router is deleted later, the adjacency is not deleted and a crash happens because of UAF. Fixes #10209. Signed-off-by: Igor Ryzhov (cherry picked from commit 7209d2a4cca79fc823b65cc5854f06debb2ac448) --- isisd/isis_adjacency.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/isisd/isis_adjacency.c b/isisd/isis_adjacency.c index ffda0f8643..20489cb7dc 100644 --- a/isisd/isis_adjacency.c +++ b/isisd/isis_adjacency.c @@ -327,15 +327,18 @@ void isis_adj_state_change(struct isis_adjacency **padj, adj->flaps++; } else if (old_state == ISIS_ADJ_UP) { circuit->adj_state_changes++; - listnode_delete(circuit->u.bc.adjdb[level - 1], - adj); circuit->upadjcount[level - 1]--; if (circuit->upadjcount[level - 1] == 0) isis_tx_queue_clean(circuit->tx_queue); - if (new_state == ISIS_ADJ_DOWN) + if (new_state == ISIS_ADJ_DOWN) { + listnode_delete( + circuit->u.bc.adjdb[level - 1], + adj); + del = true; + } } if (circuit->u.bc.lan_neighs[level - 1]) { @@ -374,14 +377,17 @@ void isis_adj_state_change(struct isis_adjacency **padj, &circuit->t_send_csnp[1]); } } else if (old_state == ISIS_ADJ_UP) { - if (adj->circuit->u.p2p.neighbor == adj) - adj->circuit->u.p2p.neighbor = NULL; circuit->upadjcount[level - 1]--; if (circuit->upadjcount[level - 1] == 0) isis_tx_queue_clean(circuit->tx_queue); - if (new_state == ISIS_ADJ_DOWN) + if (new_state == ISIS_ADJ_DOWN) { + if (adj->circuit->u.p2p.neighbor == adj) + adj->circuit->u.p2p.neighbor = + NULL; + del = true; + } } } } -- 2.39.5