diff options
| author | Louis Scalbert <louis.scalbert@6wind.com> | 2024-09-12 09:31:49 +0200 |
|---|---|---|
| committer | Mergify <37929162+mergify[bot]@users.noreply.github.com> | 2024-09-17 12:35:15 +0000 |
| commit | 670c4039ce7e60143f42d3f888fecd117fe50b1a (patch) | |
| tree | 4f2e14cc039cbce8558a0beda6e42aef264538ba /lib/xref.h | |
| parent | 9ffb74fb2ff67bf184c5e6a628bf263479084a10 (diff) | |
isisd: fix rcap tlv double-free crash
A double-free crash happens when a subTLV of the "Router Capability"
TLV is not readable and a previous "Router Capability" TLV was read.
rcap was supposed to be freed later by isis_free_tlvs() ->
free_tlv_router_cap(). In 78774bbcd5 ("isisd: add isis flex-algo lsp
advertisement"), this was not the case because rcap was not saved to
tlvs->router_cap when the function returned early because of a subTLV
length issue.
Always set tlvs->router_cap to free the memory.
Note that this patch has the consequence that in case of subTLV error,
the previously read "Router Capability" subTLVs are kept in memory.
Fixes: 49efc80d34 ("isisd: Ensure rcap is freed in error case")
Fixes: 78774bbcd5 ("isisd: add isis flex-algo lsp advertisement")
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>
(cherry picked from commit d61758140d33972c10ecbb72d0a3e528049dd8d6)
Diffstat (limited to 'lib/xref.h')
0 files changed, 0 insertions, 0 deletions