lib: Fix memory leak in in Link State

When using ls_stream2ted() function to parse Opaque Link State message to local
TED, in case of vertex or subnet deletion, the function return a pointer to the
deleted ls_element instead of NULL. This could lead into a potential pointer
corruption when caller try to access to the deleted ls_element.

This patch ensure that the ls_element pointer return by ls_stream2ted()
function is NULL when the message event is a delete operation for vertex and
subnet. Note that edge deletion was correctly handled.

Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>

1 files changed, 6 insertions, 5 deletions

diff --git a/lib/link_state.c b/lib/link_state.c
index 3771572adf..af1c62bf9c 100644
--- a/lib/link_state.c
+++ b/lib/link_state.c
@@ -502,7 +502,6 @@ void ls_vertex_del(struct ls_ted *ted, struct ls_vertex *vertex)
 	/* Then remove Vertex from Link State Data Base and free memory */
 	vertices_del(&ted->vertices, vertex);
 	XFREE(MTYPE_LS_DB, vertex);
-	vertex = NULL;
 }
 
 void ls_vertex_del_all(struct ls_ted *ted, struct ls_vertex *vertex)
@@ -1752,9 +1751,10 @@ struct ls_vertex *ls_msg2vertex(struct ls_ted *ted, struct ls_message *msg,
 	case LS_MSG_EVENT_DELETE:
 		vertex = ls_find_vertex_by_id(ted, node->adv);
 		if (vertex) {
-			if (delete)
+			if (delete) {
 				ls_vertex_del_all(ted, vertex);
-			else
+				vertex = NULL;
+			} else
 				vertex->status = DELETE;
 		}
 		break;
@@ -1831,9 +1831,10 @@ struct ls_subnet *ls_msg2subnet(struct ls_ted *ted, struct ls_message *msg,
 	case LS_MSG_EVENT_DELETE:
 		subnet = ls_find_subnet(ted, pref->pref);
 		if (subnet) {
-			if (delete)
+			if (delete) {
 				ls_subnet_del_all(ted, subnet);
-			else
+				subnet = NULL;
+			} else
 				subnet->status = DELETE;
 		}
 		break;