From cdd0c84970dfa98e0232011eb7c7241805c9e4eb Mon Sep 17 00:00:00 2001
From: Paul Jakma <paul@jakma.org>
Date: Tue, 8 Sep 2015 15:31:45 +0100
Subject: [PATCH] ospfd: Fix bug in 94266fa822ba, nbr_self rebuild didn't add
 valid nbr_self

* 94266fa822ba "ospfd: Self nbrs needs to be rebuilt when router ID changes."
  deleted the nbr_self, and added it back, but ospf_nbr_add_self doesn't
  actually create the nbr_self - it assumes it's already there. Leading
  to use after free and crashes after a router-id change.
* ospfd/ospf_neighbor.{c,h}: (ospf_nbr_self_reset) Little helper to reset the
  nbr_self correctly.
* ospf_interface.c: (ospf_if_cleanup) moved code to ospf_nbr_self_reset
* ospfd.c: (ospf_router_id_update) Use ospf_nbr_self_reset instead of doing
  the reset badly, fixing 94266fa822ba.

(cherry picked from commit c920e510d09c6c4ab63a3da5375009442a950f82)
---
 ospfd/ospf_interface.c | 4 +---
 ospfd/ospf_neighbor.c  | 9 +++++++++
 ospfd/ospf_neighbor.h  | 1 +
 ospfd/ospfd.c          | 3 +--
 4 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/ospfd/ospf_interface.c b/ospfd/ospf_interface.c
index 628091963e..5b6be1c8dc 100644
--- a/ospfd/ospf_interface.c
+++ b/ospfd/ospf_interface.c
@@ -297,9 +297,7 @@ ospf_if_cleanup (struct ospf_interface *oi)
   ospf_ls_upd_queue_empty (oi);
   
   /* Reset pseudo neighbor. */
-  ospf_nbr_delete (oi->nbr_self);
-  oi->nbr_self = ospf_nbr_new (oi);
-  ospf_nbr_add_self (oi);
+  ospf_nbr_self_reset (oi);
 }
 
 void
diff --git a/ospfd/ospf_neighbor.c b/ospfd/ospf_neighbor.c
index afc74d2b00..83f91ad539 100644
--- a/ospfd/ospf_neighbor.c
+++ b/ospfd/ospf_neighbor.c
@@ -206,6 +206,15 @@ ospf_nbr_bidirectional (struct in_addr *router_id,
   return 0;
 }
 
+/* reset nbr_self */
+void
+ospf_nbr_self_reset (struct ospf_interface *oi)
+{
+  ospf_nbr_delete (oi->nbr_self);
+  oi->nbr_self = ospf_nbr_new (oi);
+  ospf_nbr_add_self (oi);
+}
+
 /* Add self to nbr list. */
 void
 ospf_nbr_add_self (struct ospf_interface *oi)
diff --git a/ospfd/ospf_neighbor.h b/ospfd/ospf_neighbor.h
index 7118dd0210..81e212b573 100644
--- a/ospfd/ospf_neighbor.h
+++ b/ospfd/ospf_neighbor.h
@@ -102,6 +102,7 @@ extern struct ospf_neighbor *ospf_nbr_new (struct ospf_interface *);
 extern void ospf_nbr_free (struct ospf_neighbor *);
 extern void ospf_nbr_delete (struct ospf_neighbor *);
 extern int ospf_nbr_bidirectional (struct in_addr *, struct in_addr *, int);
+extern void ospf_nbr_self_reset (struct ospf_interface *);
 extern void ospf_nbr_add_self (struct ospf_interface *);
 extern int ospf_nbr_count (struct ospf_interface *, int);
 #ifdef HAVE_OPAQUE_LSA
diff --git a/ospfd/ospfd.c b/ospfd/ospfd.c
index 7af6ddc379..050cbad196 100644
--- a/ospfd/ospfd.c
+++ b/ospfd/ospfd.c
@@ -124,8 +124,7 @@ ospf_router_id_update (struct ospf *ospf)
 	   * oi->nbr_self->router_id = router_id for
 	   * !(virtual | ptop) links
 	   */
-	  ospf_nbr_delete(oi->nbr_self);
-	  ospf_nbr_add_self(oi);
+	  ospf_nbr_self_reset (oi);
 	}
 
       /* If AS-external-LSA is queued, then flush those LSAs. */
-- 
2.39.5