diff options
author | Claudio Jeker <claudio@cvs.openbsd.org> | 2006-12-08 21:28:09 +0000 |
---|---|---|
committer | Claudio Jeker <claudio@cvs.openbsd.org> | 2006-12-08 21:28:09 +0000 |
commit | c481be686c817f0d5f4a2ccd88d331fd01571c67 (patch) | |
tree | a86809218e8b6b31ff268ad3ca8e7fdfabea8df0 | |
parent | fdc805dad24ce4b5ce73f8ab9d760fd83d0e569b (diff) |
Fix a crash seen on busy area border routers. The problem was a NULL
dereference in rde_summary_update(). Even though we merge in the new LSA
it may be suppressed because the remove happened less than 5 seconds ago.
So the second lsa_find() is still unable to locate the LSA and in this case
we may not access v->cost. Additionally only remove not yet deleted LSA
in lsa_remove_invalid_sums(), removing already removed entries removes also
the suppressed LSAs.
Problem found and fix tested by Pierre-Yves Ritschard. OK norby@
-rw-r--r-- | usr.sbin/ospfd/rde.c | 6 | ||||
-rw-r--r-- | usr.sbin/ospfd/rde_lsdb.c | 5 |
2 files changed, 7 insertions, 4 deletions
diff --git a/usr.sbin/ospfd/rde.c b/usr.sbin/ospfd/rde.c index d7af2b0d19a..1aee4a2df14 100644 --- a/usr.sbin/ospfd/rde.c +++ b/usr.sbin/ospfd/rde.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rde.c,v 1.48 2006/12/07 19:14:27 claudio Exp $ */ +/* $OpenBSD: rde.c,v 1.49 2006/12/08 21:28:08 claudio Exp $ */ /* * Copyright (c) 2004, 2005 Claudio Jeker <claudio@openbsd.org> @@ -1040,7 +1040,9 @@ rde_summary_update(struct rt_node *rte, struct area *area) v = lsa_find(area, type, rte->adv_rtr.s_addr, rde_router_id()); } - v->cost = rte->cost; + /* suppressed/deleted routes are not found in the second lsa_find */ + if (v) + v->cost = rte->cost; } diff --git a/usr.sbin/ospfd/rde_lsdb.c b/usr.sbin/ospfd/rde_lsdb.c index 2c3cd8d5a35..77dd659b422 100644 --- a/usr.sbin/ospfd/rde_lsdb.c +++ b/usr.sbin/ospfd/rde_lsdb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rde_lsdb.c,v 1.33 2006/08/30 05:25:33 norby Exp $ */ +/* $OpenBSD: rde_lsdb.c,v 1.34 2006/12/08 21:28:08 claudio Exp $ */ /* * Copyright (c) 2004, 2005 Claudio Jeker <claudio@openbsd.org> @@ -707,7 +707,8 @@ lsa_remove_invalid_sums(struct area *area) nv = RB_NEXT(lsa_tree, tree, v); if ((v->lsa->hdr.type == LSA_TYPE_SUM_NETWORK || v->lsa->hdr.type == LSA_TYPE_SUM_ROUTER) && - v->nbr->self && v->cost == LS_INFINITY) { + v->nbr->self && v->cost == LS_INFINITY && + v->deleted == 0) { /* * age the lsa and call lsa_timeout() which will * actually remove it from the database. |