Can someone give this diff for ospf6d a try?
This fixes the same issue that I just committed for ospfd:
revision 1.48
date: 2020/05/06 14:40:54; author: claudio; state: Exp; lines: +5 -5;
commitid: 1nh8JCAv0Kmqd1jV;
Do not use the pointer returned by ibuf_reserve() after calling another
ibuf function. After the call the internal buffer may have moved by
realloc()
and so the pointer is invalid. Instead use ibuf_size() to get the current
offset in the buffer and use ibuf_seek() later on to write back the
updated
lsa age into the buffer at the right spot.
This fixes an issue seen by Richard Chivers on routers with many passive
interfaces.
OK stsp@ deraadt@
Thanks
--
:wq Claudio
Index: lsupdate.c
===================================================================
RCS file: /cvs/src/usr.sbin/ospf6d/lsupdate.c,v
retrieving revision 1.16
diff -u -p -r1.16 lsupdate.c
--- lsupdate.c 4 May 2020 14:36:51 -0000 1.16
+++ lsupdate.c 6 May 2020 14:33:40 -0000
@@ -194,13 +194,13 @@ int
add_ls_update(struct ibuf *buf, struct iface *iface, void *data, u_int16_t len,
u_int16_t older)
{
- void *lsage;
- u_int16_t age;
+ size_t ageoff;
+ u_int16_t age;
if (buf->wpos + len >= buf->max)
return (0);
- lsage = ibuf_reserve(buf, 0);
+ ageoff = ibuf_size(buf);
if (ibuf_add(buf, data, len)) {
log_warn("add_ls_update");
return (0);
@@ -212,7 +212,7 @@ add_ls_update(struct ibuf *buf, struct i
if ((age += older + iface->transmit_delay) >= MAX_AGE)
age = MAX_AGE;
age = htons(age);
- memcpy(lsage, &age, sizeof(age));
+ memcpy(ibuf_seek(buf, ageoff, sizeof(age)), &age, sizeof(age));
return (1);
}
