Skip to content

Commit

Permalink
OSPFD: Solve Issue #1652
Browse files Browse the repository at this point in the history
Issue 1652 was related to OSPF Crash on termination when ospf is
configured to flood self Opaque LSA e.g TE or RI Opaque LSA.

Analysis:
The problem resides in free_opaque_info_per_type() line 576 of
ospf_opaque.c. Once LSA flush, the function removes by calling
listnode_delete() function the opaque_info_per_type data structure.
However, this is also performed at the upper level function
ospf_opaque_type10lsa_term() which call list_delete_and_null() function.
This result into a double free pointer exception.

Solution:
Remove call to listnode_delete() calls in free_opaque_info_per_type()
function as it is done by list_delete_and_null(). Delete lines 592 - 615.
Remove also second call to ospf_opaque_type10lsa_term() in ospfd.c line 848.

Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
  • Loading branch information
odd22 committed Jan 23, 2018
1 parent b782607 commit 139a482
Show file tree
Hide file tree
Showing 2 changed files with 0 additions and 25 deletions.
24 changes: 0 additions & 24 deletions ospfd/ospf_opaque.c
Original file line number Diff line number Diff line change
Expand Up @@ -589,30 +589,6 @@ static void free_opaque_info_per_type(void *val)
ospf_opaque_lsa_flush_schedule(lsa);
}

/* Remove "oipt" from its owner's self-originated LSA list. */
switch (oipt->lsa_type) {
case OSPF_OPAQUE_LINK_LSA: {
struct ospf_interface *oi =
(struct ospf_interface *)(oipt->owner);
listnode_delete(oi->opaque_lsa_self, oipt);
break;
}
case OSPF_OPAQUE_AREA_LSA: {
struct ospf_area *area = (struct ospf_area *)(oipt->owner);
listnode_delete(area->opaque_lsa_self, oipt);
break;
}
case OSPF_OPAQUE_AS_LSA: {
struct ospf *top = (struct ospf *)(oipt->owner);
listnode_delete(top->opaque_lsa_self, oipt);
break;
}
default:
zlog_warn("free_opaque_info_per_type: Unexpected LSA-type(%u)",
oipt->lsa_type);
break; /* This case may not exist. */
}

OSPF_TIMER_OFF(oipt->t_opaque_lsa_self);
list_delete_and_null(&oipt->id_list);
XFREE(MTYPE_OPAQUE_INFO_PER_TYPE, oipt);
Expand Down
1 change: 0 additions & 1 deletion ospfd/ospfd.c
Original file line number Diff line number Diff line change
Expand Up @@ -845,7 +845,6 @@ static void ospf_area_free(struct ospf_area *area)
LSDB_LOOP(OPAQUE_LINK_LSDB(area), rn, lsa)
ospf_discard_from_db(area->ospf, area->lsdb, lsa);

ospf_opaque_type10_lsa_term(area);
ospf_lsdb_delete_all(area->lsdb);
ospf_lsdb_free(area->lsdb);

Expand Down

0 comments on commit 139a482

Please sign in to comment.