bgpd: Free only subattributes, not the whole attr_extra pointer

Avoid use-after-free situation. Flush attr_extra structure only when flushing
all attributes, not just for unintern.

Signed-off-by: Donatas Abraitis <donatas.abraitis@gmail.com>

diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index 5e773ca1f199dc475ab7c6708eee57da36d8e667..ed97cbcd821419f30f64eddda54930d3512029f4 100644 (file)
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -1194,7 +1194,6 @@ void bgp_attr_unintern(struct attr **pattr)
        if (attr->refcnt == 0) {
                ret = hash_release(attrhash, attr);
                assert(ret != NULL);
-               bgp_attr_extra_free(attr);
                XFREE(MTYPE_ATTR, attr);
                *pattr = NULL;
        }
@@ -1255,6 +1254,7 @@ void bgp_attr_flush(struct attr *attr)
                bgp_attr_set_vnc_subtlvs(attr, NULL);
        }
 #endif
+       bgp_attr_extra_free(attr);
 }
 
 /* Implement draft-scudder-idr-optional-transitive behaviour and