isisd: skip over deleted fragments

Since LSP fragments are also on our lspdb dict, lsp_tick() needs to skip over them after calling lsp_destroy(). Otherwise it ends up accessing free'd memory. Fixes: #3533 Signed-off-by: David Lamparter <equinox@diac24.net>
FRRouting · Feb 18, 2019 · 0c77e17 · 0c77e17
1 parent feed78a
commit 0c77e17
Showing 1 changed file with 21 additions and 0 deletions.
diff --git a/isisd/isis_lsp.c b/isisd/isis_lsp.c
@@ -1930,6 +1930,27 @@ int lsp_tick(struct thread *thread)
 						area->area_tag, lsp->level,
 						rawlspid_print(lsp->hdr.lsp_id),
 						lsp->hdr.seqno);
+
+					/* if we're aging out fragment 0,
+					 * lsp_destroy() below will delete all
+					 * other fragments too, so we need to
+					 * skip over those
+					 */
+					while (!LSP_FRAGMENT(lsp->hdr.lsp_id)
+							&& dnode_next) {
+						struct isis_lsp *nextlsp;
+
+						nextlsp = dnode_get(dnode_next);
+						if (memcmp(nextlsp->hdr.lsp_id,
+							   lsp->hdr.lsp_id,
+							   ISIS_SYS_ID_LEN + 1))
+							break;
+
+						dnode_next = dict_next(
+							area->lspdb[level],
+							dnode_next);
+					}
+
 					lsp_destroy(lsp);
 					lsp = NULL;
 					dict_delete_free(area->lspdb[level],