bgpd: Ensure that the correct aspath is free'd

Currently in subgroup_default_originate the attr.aspath
is set in bgp_attr_default_set, which hashs the aspath
and creates a refcount for it.  If this is a withdraw
the subgroup_announce_check and bgp_adj_out_set_subgroup
is called which will intern the attribute.  This will
cause the the attr.aspath to be set to a new value
finally at the bottom of the function it intentionally
uninterns the aspath which is not the one that was
created for this function.  This reduces the other
aspath's refcount by 1 and if a clear bgp * is issued
fast enough the aspath for that will be removed
and the system will crash.

Signed-off-by: Donald Sharp <sharpd@nvidia.com>
(cherry picked from commit e613e12f12b9274520ff2a8650496bdeb97e011c)

diff --git a/bgpd/bgp_updgrp_adv.c b/bgpd/bgp_updgrp_adv.c
index 7ecebe3020cff8f40f04a012ac054b3c5f3cca65..e0f59c42e6f76fad432f162a3fefff1e4af3b46b 100644 (file)
--- a/bgpd/bgp_updgrp_adv.c
+++ b/bgpd/bgp_updgrp_adv.c
@@ -830,6 +830,7 @@ void subgroup_default_originate(struct update_subgroup *subgrp, bool withdraw)
        struct bgp *bgp;
        struct attr attr;
        struct attr *new_attr = &attr;
+       struct aspath *aspath;
        struct prefix p;
        struct peer *from;
        struct bgp_dest *dest;
@@ -867,6 +868,7 @@ void subgroup_default_originate(struct update_subgroup *subgrp, bool withdraw)
        /* make coverity happy */
        assert(attr.aspath);
 
+       aspath = attr.aspath;
        attr.med = 0;
        attr.flag |= ATTR_FLAG_BIT(BGP_ATTR_MULTI_EXIT_DISC);
 
@@ -1022,7 +1024,7 @@ void subgroup_default_originate(struct update_subgroup *subgrp, bool withdraw)
                }
        }
 
-       aspath_unintern(&attr.aspath);
+       aspath_unintern(&aspath);
 }
 
 /*