bgpd: fix use of free memory by update_rsclient

* bgp_route.c: (bgp_static_update_rsclient) BGP sometimes crashes when
  removing route server client because of use after free.

  The code to update rsclient created a local static copy of bgp attributes
  but neglected to handle the extra information pointer.  The extra
  information was getting freed by bgp_attr_unintern() and reused later when
  the copy was passed to bgp_attr_intern().

  The fix is to use the attr_dup function to create a copy of the extra
  information, then clean it up.
This commit is contained in:
Stephen Hemminger 2010-08-05 10:26:31 -07:00 committed by Paul Jakma
parent 368473f612
commit 7badc26301

View File

@ -3280,7 +3280,7 @@ bgp_static_update_rsclient (struct peer *rsclient, struct prefix *p,
else
attr_new = bgp_attr_intern (&attr);
new_attr = *attr_new;
bgp_attr_dup(&new_attr, attr_new);
SET_FLAG (bgp->peer_self->rmap_type, PEER_RMAP_TYPE_NETWORK);
@ -3309,6 +3309,7 @@ bgp_static_update_rsclient (struct peer *rsclient, struct prefix *p,
bgp_attr_unintern (attr_new);
attr_new = bgp_attr_intern (&new_attr);
bgp_attr_extra_free (&new_attr);
for (ri = rn->info; ri; ri = ri->next)
if (ri->peer == bgp->peer_self && ri->type == ZEBRA_ROUTE_BGP