From 56b7d690bb6e3cea976b7d0d2eeffb7de018b589 Mon Sep 17 00:00:00 2001 From: Donald Sharp Date: Fri, 2 Dec 2022 12:51:34 -0500 Subject: [PATCH] bgpd: Hash release before we change the underlying hash assumptions The bgp->peerhash is made up of the sockunion and the CONFIG_NODE flag. If the CONFIG_NODE flag is moved around or changed then we get into a situation where both the doppelganger and the peer actually hash to the exact same thing. Leading to wrongful deletion and pointers being used after freed. Signed-off-by: Donald Sharp --- bgpd/bgp_fsm.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/bgpd/bgp_fsm.c b/bgpd/bgp_fsm.c index db68c918c0..1f6ab8d593 100644 --- a/bgpd/bgp_fsm.c +++ b/bgpd/bgp_fsm.c @@ -2106,6 +2106,10 @@ static int bgp_establish(struct peer *peer) int status; other = peer->doppelganger; + hash_release(peer->bgp->peerhash, peer); + if (other) + hash_release(peer->bgp->peerhash, other); + peer = peer_xfer_conn(peer); if (!peer) { flog_err(EC_BGP_CONNECT, "%%Neighbor failed in xfer_conn"); @@ -2310,7 +2314,6 @@ static int bgp_establish(struct peer *peer) * the doppelgangers su and this peer's su are the same * so the hash_release is the same for either. */ - hash_release(peer->bgp->peerhash, peer); (void)hash_get(peer->bgp->peerhash, peer, hash_alloc_intern); /* Start BFD peer if not already running. */