From 5fe70a71765bd8fe72208b7667a0c47fbd494329 Mon Sep 17 00:00:00 2001
From: Quentin Young <qlyoung@cumulusnetworks.com>
Date: Fri, 9 Jun 2017 14:53:11 +0000
Subject: [PATCH] isisd: fix heap uaf, round 2

Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>
---
 isisd/isis_adjacency.c | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/isisd/isis_adjacency.c b/isisd/isis_adjacency.c
index de1ccaad13..3821930927 100644
--- a/isisd/isis_adjacency.c
+++ b/isisd/isis_adjacency.c
@@ -178,6 +178,7 @@ isis_adj_state_change (struct isis_adjacency *adj, enum isis_adj_state new_state
   int old_state;
   int level;
   struct isis_circuit *circuit;
+  bool del;
 
   old_state = adj->adj_state;
   adj->adj_state = new_state;
@@ -212,7 +213,8 @@ isis_adj_state_change (struct isis_adjacency *adj, enum isis_adj_state new_state
 
   if (circuit->circ_type == CIRCUIT_T_BROADCAST)
     {
-      for (level = IS_LEVEL_1; adj && level <= IS_LEVEL_2; level++)
+      del = false;
+      for (level = IS_LEVEL_1; level <= IS_LEVEL_2; level++)
       {
         if ((adj->level & level) == 0)
           continue;
@@ -235,8 +237,7 @@ isis_adj_state_change (struct isis_adjacency *adj, enum isis_adj_state new_state
                 list_delete_all_node (circuit->lsp_queue);
             }
           isis_event_adjacency_state_change (adj, new_state);
-          isis_delete_adj (adj);
-          adj = NULL;
+          del = true;
         }
 
         if (circuit->u.bc.lan_neighs[level - 1])
@@ -250,10 +251,16 @@ isis_adj_state_change (struct isis_adjacency *adj, enum isis_adj_state new_state
         if (circuit->u.bc.is_dr[level - 1])
           lsp_regenerate_schedule_pseudo (circuit, level);
       }
+
+      if (del)
+        isis_delete_adj (adj);
+
+      adj = NULL;
     }
   else if (circuit->circ_type == CIRCUIT_T_P2P)
     {
-      for (level = IS_LEVEL_1; adj && level <= IS_LEVEL_2; level++)
+      del = false;
+      for (level = IS_LEVEL_1; level <= IS_LEVEL_2; level++)
       {
         if ((adj->level & level) == 0)
           continue;
@@ -285,10 +292,14 @@ isis_adj_state_change (struct isis_adjacency *adj, enum isis_adj_state new_state
                 list_delete_all_node (circuit->lsp_queue);
             }
           isis_event_adjacency_state_change (adj, new_state);
-          isis_delete_adj (adj);
-          adj = NULL;
+          del = true;
         }
       }
+
+      if (del)
+        isis_delete_adj (adj);
+
+      adj = NULL;
     }
 
   return;
-- 
2.39.5