bgpd: Prevent use after free

When bgp_stop finishes and it deletes the peer it is sending
back a return code stating that the peer was deleted, but
the code was operating like it was not deleted and continued
to access the data structure.  Fix.

Signed-off-by: Donald Sharp <sharpd@nvidia.com>

diff --git a/bgpd/bgp_fsm.c b/bgpd/bgp_fsm.c
index d08159eb50fbe129068522e5df8ea57fb5a9cfd1..92038a73e4e2e6c952c2fc13b40e8dd23278ac7d 100644 (file)
--- a/bgpd/bgp_fsm.c
+++ b/bgpd/bgp_fsm.c
@@ -2675,7 +2675,6 @@ int bgp_event_update(struct peer *peer, enum bgp_fsm_events event)
                bgp_timer_set(peer);
                break;
        case BGP_FSM_FAILURE:
-       case BGP_FSM_FAILURE_AND_DELETE:
                /*
                 * If we got a return value of -1, that means there was an
                 * error, restart the FSM. Since bgp_stop() was called on the
@@ -2699,7 +2698,9 @@ int bgp_event_update(struct peer *peer, enum bgp_fsm_events event)
                        bgp_timer_set(peer);
                }
                fsm_result = FSM_PEER_STOPPED;
-
+               break;
+       case BGP_FSM_FAILURE_AND_DELETE:
+               fsm_result = FSM_PEER_STOPPED;
                break;
        }