From 06af50eacec8660fada0d4fd5cd11f0ade4e3c6c Mon Sep 17 00:00:00 2001
From: Acee Lindem <acee@lindem.com>
Date: Mon, 24 Feb 2025 21:44:32 +0000
Subject: [PATCH] ospf6d: Fix use after free of router in OSPFv3 ABR route
 calculation.

This PR fixes FRR issue https://github.com/FRRouting/frr/issues/18040. The
OSPFv3 route is locked during the ABR calculation since there are
scenarios under which it is freed. The OSPFv3 ABR computation is
sub-optimal and this PR doesn't attempt to rework it.

Signed-off-by: Acee Lindem <acee@lindem.com>
---
 ospf6d/ospf6_intra.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/ospf6d/ospf6_intra.c b/ospf6d/ospf6_intra.c
index 4765c29e1e47..da67c4ed6777 100644
--- a/ospf6d/ospf6_intra.c
+++ b/ospf6d/ospf6_intra.c
@@ -2194,9 +2194,15 @@ void ospf6_intra_brouter_calculation(struct ospf6_area *oa)
 				zlog_info("%s: brouter %s appears via area %s",
 					  __func__, brouter_name, oa->name);
 
+			ospf6_route_lock(brouter);
 			/* newly added */
 			if (hook_add)
 				(*hook_add)(brouter);
+			if (CHECK_FLAG(brouter->flag, OSPF6_ROUTE_WAS_REMOVED)) {
+				ospf6_route_unlock(brouter);
+				brouter = NULL;
+			} else
+				ospf6_route_unlock(brouter);
 		} else {
 			if (IS_OSPF6_DEBUG_BROUTER_SPECIFIC_ROUTER_ID(
 				    brouter_id)