pimd: crash fix when RP is removed

pimd crash at pim_msg_build_jp_groups (
grp=grp@entry=0x7ffca55b5d1e, sgs=sgs@entry=0x17821a0, size=20)
 at pimd/pim_msg.c:198

Fix for https://github.com/FRRouting/frr/issues/6849

Root Cause:
===========
pimd has crashed because pim_upstream_rpf_clear function sets the
up->rpf.source_nexthop.interface pointer to NULL and has not removed
the upstream source node from the neighbor. When the upstream gets
deleted the source is not removed from neighbor
neigh->upstream_jp_agg->groups->sources list. This source node has
pointer to upstream freed memory. Hence when on_neighbor_jp_timer expires,
it tries to access the upstream pointer and crashed.

Fix:
====
Before setting the interface pointer to NULL, remove the node from
neigh->upstream_jp_agg->groups->sources list. Also the upstream state
has to be changed to Not joined.

Removed extra line changes.

Signed-off-by: Mobashshera Rasool <mrasool@vmware.com>

diff --git a/pimd/pim_rpf.c b/pimd/pim_rpf.c
index f971520c8689c4265d70ee51447be1aada03e8f6..043ccdb848fb699f50190932f1f6af0371a6d173 100644 (file)
--- a/pimd/pim_rpf.c
+++ b/pimd/pim_rpf.c
@@ -346,6 +346,7 @@ void pim_upstream_rpf_clear(struct pim_instance *pim,
                            struct pim_upstream *up)
 {
        if (up->rpf.source_nexthop.interface) {
+               pim_upstream_switch(pim, up, PIM_UPSTREAM_NOTJOINED);
                up->rpf.source_nexthop.interface = NULL;
                up->rpf.source_nexthop.mrib_nexthop_addr.u.prefix4.s_addr =
                        PIM_NET_INADDR_ANY;