File 0008-isisd-Ensure-rcap-is-freed-in-error-case.patch of Package frr.26974
From a5b30de5bf3ceee3c2fe3cca5d26c168511fca76 Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@nvidia.com>
Date: Wed, 20 Jul 2022 16:49:09 -0400
Subject: [PATCH] isisd: Ensure rcap is freed in error case
References: bsc#1202022,CVE-2019-25074
Upstream: yes
unpack_tlv_router_cap allocates memory that in the error
case is not being freed.
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
diff --git a/isisd/isis_tlvs.c b/isisd/isis_tlvs.c
index e9f615c472..bf95c414ed 100644
--- a/isisd/isis_tlvs.c
+++ b/isisd/isis_tlvs.c
@@ -2716,9 +2716,9 @@ static int pack_tlv_router_cap(const struct isis_router_cap *router_cap,
}
static int unpack_tlv_router_cap(enum isis_tlv_context context,
- uint8_t tlv_type, uint8_t tlv_len,
- struct stream *s, struct sbuf *log,
- void *dest, int indent)
+ uint8_t tlv_type, uint8_t tlv_len,
+ struct stream *s, struct sbuf *log, void *dest,
+ int indent)
{
struct isis_tlvs *tlvs = dest;
struct isis_router_cap *rcap;
@@ -2763,6 +2763,7 @@ static int unpack_tlv_router_cap(enum isis_tlv_context context,
log, indent,
"WARNING: Router Capability subTLV length too large compared to expected size\n");
stream_forward_getp(s, STREAM_READABLE(s));
+ XFREE(MTYPE_ISIS_TLV, rcap);
return 0;
}
--
2.35.3