Fix use after free of kr. Happend when the first loop removed the head

element without updating the kr pointer which was later on used again. Found by david@. OK norby@
author: claudio <claudio@openbsd.org> 2009-01-08 19:27:56 +0000
committer: claudio <claudio@openbsd.org> 2009-01-08 19:27:56 +0000
commit: 8cee13bc83b32b8d97b4546f2cdd2a1daba17876 (patch)
tree: f5393e8210403270c89924bae01f2d06c02dad2b
parent: Include the neighbor ID in a debug output so that it is clear which router (diff)
download: wireguard-openbsd-8cee13bc83b32b8d97b4546f2cdd2a1daba17876.tar.xz
wireguard-openbsd-8cee13bc83b32b8d97b4546f2cdd2a1daba17876.zip
1 files changed, 7 insertions, 1 deletions
diff --git a/usr.sbin/ospfd/kroute.c b/usr.sbin/ospfd/kroute.c
index 4d280fa1f4e..be184c34365 100644
--- a/usr.sbin/ospfd/kroute.c
+++ b/usr.sbin/ospfd/kroute.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kroute.c,v 1.65 2009/01/06 22:00:31 claudio Exp $ */
+/*	$OpenBSD: kroute.c,v 1.66 2009/01/08 19:27:56 claudio Exp $ */
 
 /*
  * Copyright (c) 2004 Esben Norby <norby@openbsd.org>
@@ -191,6 +191,12 @@ kr_change_fib(struct kroute_node *kr, struct kroute *kroute, int krcount,
 				/* stale route */
 				if (kr_delete_fib(kn) == -1)
 					log_warnx("kr_delete_fib failed");
+			/*
+			 * if head element was removed we need to adjust
+			 * the head
+			 */
+			if (kr == kn)
+				kr = nkn;
 		}
 	}
author	claudio <claudio@openbsd.org>	2009-01-08 19:27:56 +0000
committer	claudio <claudio@openbsd.org>	2009-01-08 19:27:56 +0000
commit	8cee13bc83b32b8d97b4546f2cdd2a1daba17876 (patch)
tree	f5393e8210403270c89924bae01f2d06c02dad2b
parent	Include the neighbor ID in a debug output so that it is clear which router (diff)
download	wireguard-openbsd-8cee13bc83b32b8d97b4546f2cdd2a1daba17876.tar.xz wireguard-openbsd-8cee13bc83b32b8d97b4546f2cdd2a1daba17876.zip