ospf6d, tests: Prevent use after free

The code pattern:

for (ALL_LSDB(lsdb, lsa)) {
	remove_lsa(lsa)
}

has a use after free in ALL_LSDB, since we ask for the next pointer,
after it has been freed.

Modify the code such that we grab the next pointer before we can
possibly free it.

Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>

1 files changed, 4 insertions, 4 deletions

diff --git a/ospf6d/ospf6_lsdb.c b/ospf6d/ospf6_lsdb.c
index b551dbdfa..db6f9a780 100644
--- a/ospf6d/ospf6_lsdb.c
+++ b/ospf6d/ospf6_lsdb.c
@@ -298,12 +298,12 @@ struct ospf6_lsa *ospf6_lsdb_next(const struct route_node *iterend,
 
 void ospf6_lsdb_remove_all(struct ospf6_lsdb *lsdb)
 {
-	struct ospf6_lsa *lsa;
+	struct ospf6_lsa *lsa, *lsanext;
 
 	if (lsdb == NULL)
 		return;
 
-	for (ALL_LSDB(lsdb, lsa))
+	for (ALL_LSDB(lsdb, lsa, lsanext))
 		ospf6_lsdb_remove(lsa, lsdb);
 }
 
@@ -319,9 +319,9 @@ void ospf6_lsdb_lsa_unlock(struct ospf6_lsa *lsa)
 int ospf6_lsdb_maxage_remover(struct ospf6_lsdb *lsdb)
 {
 	int reschedule = 0;
-	struct ospf6_lsa *lsa;
+	struct ospf6_lsa *lsa, *lsanext;
 
-	for (ALL_LSDB(lsdb, lsa)) {
+	for (ALL_LSDB(lsdb, lsa, lsanext)) {
 		if (!OSPF6_LSA_IS_MAXAGE(lsa))
 			continue;
 		if (lsa->retrans_count != 0) {