summaryrefslogtreecommitdiff
path: root/usr.sbin
diff options
context:
space:
mode:
authorClaudio Jeker <claudio@cvs.openbsd.org>2009-01-08 19:27:57 +0000
committerClaudio Jeker <claudio@cvs.openbsd.org>2009-01-08 19:27:57 +0000
commit0f618630f735c88a2290826eb5e978aaf112d512 (patch)
tree42974f2918ad4362a3cc925560f75c44842f312e /usr.sbin
parent47cd8bf5f3fb0eb43fc0d092023c04c6be8f75e3 (diff)
Fix use after free of kr. Happend when the first loop removed the head
element without updating the kr pointer which was later on used again. Found by david@. OK norby@
Diffstat (limited to 'usr.sbin')
-rw-r--r--usr.sbin/ospfd/kroute.c8
1 files changed, 7 insertions, 1 deletions
diff --git a/usr.sbin/ospfd/kroute.c b/usr.sbin/ospfd/kroute.c
index 4d280fa1f4e..be184c34365 100644
--- a/usr.sbin/ospfd/kroute.c
+++ b/usr.sbin/ospfd/kroute.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kroute.c,v 1.65 2009/01/06 22:00:31 claudio Exp $ */
+/* $OpenBSD: kroute.c,v 1.66 2009/01/08 19:27:56 claudio Exp $ */
/*
* Copyright (c) 2004 Esben Norby <norby@openbsd.org>
@@ -191,6 +191,12 @@ kr_change_fib(struct kroute_node *kr, struct kroute *kroute, int krcount,
/* stale route */
if (kr_delete_fib(kn) == -1)
log_warnx("kr_delete_fib failed");
+ /*
+ * if head element was removed we need to adjust
+ * the head
+ */
+ if (kr == kn)
+ kr = nkn;
}
}