diff options
author | Claudio Jeker <claudio@cvs.openbsd.org> | 2009-11-11 07:59:11 +0000 |
---|---|---|
committer | Claudio Jeker <claudio@cvs.openbsd.org> | 2009-11-11 07:59:11 +0000 |
commit | bfb0f4fec84a72e97be1b73db2c40202e07808b6 (patch) | |
tree | 0ce9fbaa079076f7bae078e2c6a7b8dbdea74502 | |
parent | 6d744224329449e764ac8eefb83da8311a246977 (diff) |
Fix an obvious use after free. Found by parfait. Reported and OK jsg@
-rw-r--r-- | usr.sbin/ospfd/rde.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/usr.sbin/ospfd/rde.c b/usr.sbin/ospfd/rde.c index 4c82b747c5b..c42abef4353 100644 --- a/usr.sbin/ospfd/rde.c +++ b/usr.sbin/ospfd/rde.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rde.c,v 1.83 2009/11/02 20:20:54 claudio Exp $ */ +/* $OpenBSD: rde.c,v 1.84 2009/11/11 07:59:10 claudio Exp $ */ /* * Copyright (c) 2004, 2005 Claudio Jeker <claudio@openbsd.org> @@ -438,9 +438,6 @@ rde_dispatch_imsg(int fd, short event, void *bula) if (self) free(lsa); } else if (r < 0) { - /* lsa no longer needed */ - free(lsa); - /* * point 6 of "The Flooding Procedure" * We are violating the RFC here because @@ -452,9 +449,13 @@ rde_dispatch_imsg(int fd, short event, void *bula) if (rde_req_list_exists(nbr, &lsa->hdr)) { imsg_compose_event(iev_ospfe, IMSG_LS_BADREQ, imsg.hdr.peerid, 0, -1, NULL, 0); + free(lsa); break; } + /* lsa no longer needed */ + free(lsa); + /* new LSA older than DB */ if (ntohl(db_hdr->seq_num) == MAX_SEQ_NUM && ntohs(db_hdr->age) == MAX_AGE) |