From d11e0c82eab7fb6f5e5cb334f56e071cad0bab88 Mon Sep 17 00:00:00 2001 From: Renato Westphal Date: Mon, 31 May 2021 10:27:51 -0300 Subject: [PATCH] ospfd: fix null pointer dereference when flushing an opaque LSA Call ospf_lsa_flush() before free_opaque_info_per_id() since the latter can deallocate the LSA that is going to be flushed. Also, there's no need to set the LSA MaxAge to OSPF_LSA_MAXAGE manually as the ospf_lsa_flush() function already takes care of that. Signed-off-by: Renato Westphal --- ospfd/ospf_opaque.c | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/ospfd/ospf_opaque.c b/ospfd/ospf_opaque.c index 42bf914f67..fac2f97141 100644 --- a/ospfd/ospf_opaque.c +++ b/ospfd/ospf_opaque.c @@ -2119,15 +2119,12 @@ void ospf_opaque_lsa_flush_schedule(struct ospf_lsa *lsa0) goto out; } + /* This lsa will be flushed and removed eventually. */ + ospf_lsa_flush(top, lsa); + /* Dequeue listnode entry from the list. */ listnode_delete(oipt->id_list, oipi); - /* Disassociate internal control information with the given lsa. */ - free_opaque_info_per_id((void *)oipi); - - /* Force given lsa's age to MaxAge. */ - lsa->data->ls_age = htons(OSPF_LSA_MAXAGE); - if (IS_DEBUG_OSPF_EVENT) zlog_debug( "Schedule Type-%u Opaque-LSA to FLUSH: [opaque-type=%u, opaque-id=%x]", @@ -2135,8 +2132,8 @@ void ospf_opaque_lsa_flush_schedule(struct ospf_lsa *lsa0) GET_OPAQUE_TYPE(ntohl(lsa->data->id.s_addr)), GET_OPAQUE_ID(ntohl(lsa->data->id.s_addr))); - /* This lsa will be flushed and removed eventually. */ - ospf_lsa_flush(top, lsa); + /* Disassociate internal control information with the given lsa. */ + free_opaque_info_per_id((void *)oipi); out: return; -- 2.39.5