mirror of
https://git.proxmox.com/git/mirror_frr
synced 2025-08-06 10:22:07 +00:00
bgpd: fix use of free memory by update_rsclient
* bgp_route.c: (bgp_static_update_rsclient) BGP sometimes crashes when removing route server client because of use after free. The code to update rsclient created a local static copy of bgp attributes but neglected to handle the extra information pointer. The extra information was getting freed by bgp_attr_unintern() and reused later when the copy was passed to bgp_attr_intern(). The fix is to use the attr_dup function to create a copy of the extra information, then clean it up.
This commit is contained in:
parent
368473f612
commit
7badc26301
@ -3280,7 +3280,7 @@ bgp_static_update_rsclient (struct peer *rsclient, struct prefix *p,
|
||||
else
|
||||
attr_new = bgp_attr_intern (&attr);
|
||||
|
||||
new_attr = *attr_new;
|
||||
bgp_attr_dup(&new_attr, attr_new);
|
||||
|
||||
SET_FLAG (bgp->peer_self->rmap_type, PEER_RMAP_TYPE_NETWORK);
|
||||
|
||||
@ -3309,6 +3309,7 @@ bgp_static_update_rsclient (struct peer *rsclient, struct prefix *p,
|
||||
|
||||
bgp_attr_unintern (attr_new);
|
||||
attr_new = bgp_attr_intern (&new_attr);
|
||||
bgp_attr_extra_free (&new_attr);
|
||||
|
||||
for (ri = rn->info; ri; ri = ri->next)
|
||||
if (ri->peer == bgp->peer_self && ri->type == ZEBRA_ROUTE_BGP
|
||||
|
Loading…
Reference in New Issue
Block a user