diff options
| author | Claudio Jeker <claudio@cvs.openbsd.org> | 2009-01-08 19:27:57 +0000 |
|---|---|---|
| committer | Claudio Jeker <claudio@cvs.openbsd.org> | 2009-01-08 19:27:57 +0000 |
| commit | 0f618630f735c88a2290826eb5e978aaf112d512 (patch) | |
| tree | 42974f2918ad4362a3cc925560f75c44842f312e /usr.sbin/ospfd | |
| parent | 47cd8bf5f3fb0eb43fc0d092023c04c6be8f75e3 (diff) | |
Fix use after free of kr. Happend when the first loop removed the head
element without updating the kr pointer which was later on used again.
Found by david@. OK norby@
Diffstat (limited to 'usr.sbin/ospfd')
| -rw-r--r-- | usr.sbin/ospfd/kroute.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/usr.sbin/ospfd/kroute.c b/usr.sbin/ospfd/kroute.c index 4d280fa1f4e..be184c34365 100644 --- a/usr.sbin/ospfd/kroute.c +++ b/usr.sbin/ospfd/kroute.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kroute.c,v 1.65 2009/01/06 22:00:31 claudio Exp $ */ +/* $OpenBSD: kroute.c,v 1.66 2009/01/08 19:27:56 claudio Exp $ */ /* * Copyright (c) 2004 Esben Norby <norby@openbsd.org> @@ -191,6 +191,12 @@ kr_change_fib(struct kroute_node *kr, struct kroute *kroute, int krcount, /* stale route */ if (kr_delete_fib(kn) == -1) log_warnx("kr_delete_fib failed"); + /* + * if head element was removed we need to adjust + * the head + */ + if (kr == kn) + kr = nkn; } } |