From e976fc2397dd0f0a759c3ddc45a56972edad655e Mon Sep 17 00:00:00 2001
From: David Lamparter <equinox@opensourcerouting.org>
Date: Mon, 18 Feb 2019 21:34:06 +0100
Subject: [PATCH] isisd: skip over deleted fragments

Since LSP fragments are also on our lspdb dict, lsp_tick() needs to skip
over them after calling lsp_destroy().  Otherwise it ends up accessing
free'd memory.

Fixes: #3533
Signed-off-by: David Lamparter <equinox@diac24.net>
---
 isisd/isis_lsp.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/isisd/isis_lsp.c b/isisd/isis_lsp.c
index 658624370b..b56a56fa3f 100644
--- a/isisd/isis_lsp.c
+++ b/isisd/isis_lsp.c
@@ -1930,6 +1930,27 @@ int lsp_tick(struct thread *thread)
 						area->area_tag, lsp->level,
 						rawlspid_print(lsp->hdr.lsp_id),
 						lsp->hdr.seqno);
+
+					/* if we're aging out fragment 0,
+					 * lsp_destroy() below will delete all
+					 * other fragments too, so we need to
+					 * skip over those
+					 */
+					while (!LSP_FRAGMENT(lsp->hdr.lsp_id)
+							&& dnode_next) {
+						struct isis_lsp *nextlsp;
+
+						nextlsp = dnode_get(dnode_next);
+						if (memcmp(nextlsp->hdr.lsp_id,
+							   lsp->hdr.lsp_id,
+							   ISIS_SYS_ID_LEN + 1))
+							break;
+
+						dnode_next = dict_next(
+							area->lspdb[level],
+							dnode_next);
+					}
+
 					lsp_destroy(lsp);
 					lsp = NULL;
 					dict_delete_free(area->lspdb[level],
-- 
2.39.5