proxmox-mirrors/mirror_frr
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_frr synced 2025-08-13 22:26:14 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

bgpd: fix invalid memory access in peer_free()

Browse Source 
We shoult not call bgp_unlock() before calling
bgp_delete_connected_nexthop() in the peer_free() function. Otherwise,
if bgp->lock reaches zero, bgp_free() is called and peer->bgp becomes
an invalid pointer in the bgp_delete_connected_nexthop() function.

To fix this, move the call to bgp_unlock() to the end of peer_free().

Bug exposed by commit 37d361e ("bgpd: plug several memleaks").

Signed-off-by: Renato Westphal <renato@opensourcerouting.org>
This commit is contained in:
Renato Westphal 2016-11-28 15:00:05 -02:00
parent 5a8dfcd891
commit f4f59de462
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
bgpd/bgpd.c
View File

@ -1019,8 +1019,6 @@ peer_free (struct peer *peer)
{
assert (peer->status == Deleted);
bgp_unlock(peer->bgp);
/* this /ought/ to have been done already through bgp_stop earlier,
* but just to be sure..
*/
@ -1092,6 +1090,8 @@ peer_free (struct peer *peer)
bfd_info_free(&(peer->bfd_info));
bgp_unlock(peer->bgp);
memset (peer, 0, sizeof (struct peer));
XFREE (MTYPE_BGP_PEER, peer);