From cf29dab3b545f4d8c2286599d2f74426f365911f Mon Sep 17 00:00:00 2001 From: Donald Sharp Date: Tue, 13 Feb 2018 23:34:52 -0500 Subject: [PATCH] ospf6d: Fix a possible deref by null found in SA There exists a possibility that rtr_lsa may be null. Add an assert that shows we actually expect it to be non-null at this point in time going forward. Signed-off-by: Donald Sharp --- ospf6d/ospf6_spf.c | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/ospf6d/ospf6_spf.c b/ospf6d/ospf6_spf.c index 17ce1771e2..29ba1bcec7 100644 --- a/ospf6d/ospf6_spf.c +++ b/ospf6d/ospf6_spf.c @@ -1029,18 +1029,21 @@ struct ospf6_lsa *ospf6_create_single_router_lsa(struct ospf6_area *area, /* Fill Larger LSA Payload */ end = ospf6_lsdb_head(lsdb, 2, type, adv_router, &rtr_lsa); - if (rtr_lsa) { - if (!OSPF6_LSA_IS_MAXAGE(rtr_lsa)) { - /* Append first Link State ID LSA */ - lsa_header = (struct ospf6_lsa_header *)rtr_lsa->header; - memcpy(new_header, lsa_header, - ntohs(lsa_header->length)); - /* Assign new lsa length as aggregated length. */ - ((struct ospf6_lsa_header *)new_header)->length = - htons(total_lsa_length); - new_header += ntohs(lsa_header->length); - num_lsa--; - } + + /* + * We assume at this point in time that rtr_lsa is + * a valid pointer. + */ + assert(rtr_lsa); + if (!OSPF6_LSA_IS_MAXAGE(rtr_lsa)) { + /* Append first Link State ID LSA */ + lsa_header = (struct ospf6_lsa_header *)rtr_lsa->header; + memcpy(new_header, lsa_header, ntohs(lsa_header->length)); + /* Assign new lsa length as aggregated length. */ + ((struct ospf6_lsa_header *)new_header)->length = + htons(total_lsa_length); + new_header += ntohs(lsa_header->length); + num_lsa--; } /* Print LSA Name */ -- 2.39.5