summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorClaudio Jeker <claudio@cvs.openbsd.org>2006-12-08 21:28:09 +0000
committerClaudio Jeker <claudio@cvs.openbsd.org>2006-12-08 21:28:09 +0000
commitc481be686c817f0d5f4a2ccd88d331fd01571c67 (patch)
treea86809218e8b6b31ff268ad3ca8e7fdfabea8df0
parentfdc805dad24ce4b5ce73f8ab9d760fd83d0e569b (diff)
Fix a crash seen on busy area border routers. The problem was a NULL
dereference in rde_summary_update(). Even though we merge in the new LSA it may be suppressed because the remove happened less than 5 seconds ago. So the second lsa_find() is still unable to locate the LSA and in this case we may not access v->cost. Additionally only remove not yet deleted LSA in lsa_remove_invalid_sums(), removing already removed entries removes also the suppressed LSAs. Problem found and fix tested by Pierre-Yves Ritschard. OK norby@
-rw-r--r--usr.sbin/ospfd/rde.c6
-rw-r--r--usr.sbin/ospfd/rde_lsdb.c5
2 files changed, 7 insertions, 4 deletions
diff --git a/usr.sbin/ospfd/rde.c b/usr.sbin/ospfd/rde.c
index d7af2b0d19a..1aee4a2df14 100644
--- a/usr.sbin/ospfd/rde.c
+++ b/usr.sbin/ospfd/rde.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rde.c,v 1.48 2006/12/07 19:14:27 claudio Exp $ */
+/* $OpenBSD: rde.c,v 1.49 2006/12/08 21:28:08 claudio Exp $ */
/*
* Copyright (c) 2004, 2005 Claudio Jeker <claudio@openbsd.org>
@@ -1040,7 +1040,9 @@ rde_summary_update(struct rt_node *rte, struct area *area)
v = lsa_find(area, type, rte->adv_rtr.s_addr,
rde_router_id());
}
- v->cost = rte->cost;
+ /* suppressed/deleted routes are not found in the second lsa_find */
+ if (v)
+ v->cost = rte->cost;
}
diff --git a/usr.sbin/ospfd/rde_lsdb.c b/usr.sbin/ospfd/rde_lsdb.c
index 2c3cd8d5a35..77dd659b422 100644
--- a/usr.sbin/ospfd/rde_lsdb.c
+++ b/usr.sbin/ospfd/rde_lsdb.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rde_lsdb.c,v 1.33 2006/08/30 05:25:33 norby Exp $ */
+/* $OpenBSD: rde_lsdb.c,v 1.34 2006/12/08 21:28:08 claudio Exp $ */
/*
* Copyright (c) 2004, 2005 Claudio Jeker <claudio@openbsd.org>
@@ -707,7 +707,8 @@ lsa_remove_invalid_sums(struct area *area)
nv = RB_NEXT(lsa_tree, tree, v);
if ((v->lsa->hdr.type == LSA_TYPE_SUM_NETWORK ||
v->lsa->hdr.type == LSA_TYPE_SUM_ROUTER) &&
- v->nbr->self && v->cost == LS_INFINITY) {
+ v->nbr->self && v->cost == LS_INFINITY &&
+ v->deleted == 0) {
/*
* age the lsa and call lsa_timeout() which will
* actually remove it from the database.