File 0008-isisd-Ensure-rcap-is-freed-in-error-case.patch of Package frr.26974

From a5b30de5bf3ceee3c2fe3cca5d26c168511fca76 Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@nvidia.com>
Date: Wed, 20 Jul 2022 16:49:09 -0400
Subject: [PATCH] isisd: Ensure rcap is freed in error case
References: bsc#1202022,CVE-2019-25074
Upstream: yes

unpack_tlv_router_cap allocates memory that in the error
case is not being freed.

Signed-off-by: Donald Sharp <sharpd@nvidia.com>

diff --git a/isisd/isis_tlvs.c b/isisd/isis_tlvs.c
index e9f615c472..bf95c414ed 100644
--- a/isisd/isis_tlvs.c
+++ b/isisd/isis_tlvs.c
@@ -2716,9 +2716,9 @@ static int pack_tlv_router_cap(const struct isis_router_cap *router_cap,
 }
 
 static int unpack_tlv_router_cap(enum isis_tlv_context context,
-				       uint8_t tlv_type, uint8_t tlv_len,
-				       struct stream *s, struct sbuf *log,
-				       void *dest, int indent)
+				 uint8_t tlv_type, uint8_t tlv_len,
+				 struct stream *s, struct sbuf *log, void *dest,
+				 int indent)
 {
 	struct isis_tlvs *tlvs = dest;
 	struct isis_router_cap *rcap;
@@ -2763,6 +2763,7 @@ static int unpack_tlv_router_cap(enum isis_tlv_context context,
 				log, indent,
 				"WARNING: Router Capability subTLV length too large compared to expected size\n");
 			stream_forward_getp(s, STREAM_READABLE(s));
+			XFREE(MTYPE_ISIS_TLV, rcap);
 			return 0;
 		}
 
-- 
2.35.3