35f367fe53
- Apply upstream fix for out-of-bounds read in the BGP daemon that may lead to information disclosure or denial of service (bsc#1202023,CVE-2022-37032) [+ 0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch] - Apply upstream fix for a memory leak in the IS-IS daemon that may lead to server memory exhaustion (bsc#1202023,CVE-2019-25074) [+ 0008-isisd-Ensure-rcap-is-freed-in-error-case.patch] OBS-URL: https://build.opensuse.org/request/show/1001418 OBS-URL: https://build.opensuse.org/package/show/network/frr?expand=0&rev=40
42 lines
1.3 KiB
Diff
42 lines
1.3 KiB
Diff
From 49efc80d342d8e8373c8af040580bd7940808730 Mon Sep 17 00:00:00 2001
|
|
From: Donald Sharp <sharpd@nvidia.com>
|
|
Date: Wed, 20 Jul 2022 16:49:09 -0400
|
|
Subject: [PATCH] isisd: Ensure rcap is freed in error case
|
|
References: bsc#1202022
|
|
Upstream: yes
|
|
|
|
unpack_tlv_router_cap allocates memory that in the error
|
|
case is not being freed.
|
|
|
|
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
|
|
|
|
diff --git a/isisd/isis_tlvs.c b/isisd/isis_tlvs.c
|
|
index 11be3c3a71..b3c3fd4b0b 100644
|
|
--- a/isisd/isis_tlvs.c
|
|
+++ b/isisd/isis_tlvs.c
|
|
@@ -3580,9 +3580,9 @@ static int pack_tlv_router_cap(const struct isis_router_cap *router_cap,
|
|
}
|
|
|
|
static int unpack_tlv_router_cap(enum isis_tlv_context context,
|
|
- uint8_t tlv_type, uint8_t tlv_len,
|
|
- struct stream *s, struct sbuf *log,
|
|
- void *dest, int indent)
|
|
+ uint8_t tlv_type, uint8_t tlv_len,
|
|
+ struct stream *s, struct sbuf *log, void *dest,
|
|
+ int indent)
|
|
{
|
|
struct isis_tlvs *tlvs = dest;
|
|
struct isis_router_cap *rcap;
|
|
@@ -3627,7 +3627,7 @@ static int unpack_tlv_router_cap(enum isis_tlv_context context,
|
|
log, indent,
|
|
"WARNING: Router Capability subTLV length too large compared to expected size\n");
|
|
stream_forward_getp(s, STREAM_READABLE(s));
|
|
-
|
|
+ XFREE(MTYPE_ISIS_TLV, rcap);
|
|
return 0;
|
|
}
|
|
|
|
--
|
|
2.35.3
|
|
|