bgpd: Hash release before we change the underlying hash assumptions

The bgp->peerhash is made up of the sockunion and the CONFIG_NODE
flag.  If the CONFIG_NODE flag is moved around or changed then
we get into a situation where both the doppelganger and the peer
actually hash to the exact same thing.  Leading to wrongful deletion
and pointers being used after freed.

Signed-off-by: Donald Sharp <sharpd@nvidia.com>

diff --git a/bgpd/bgp_fsm.c b/bgpd/bgp_fsm.c
index db68c918c05ce6a62d9a7084eace21e5cf3c2cdc..1f6ab8d59377f11cb96452601609b9582412df2a 100644 (file)
--- a/bgpd/bgp_fsm.c
+++ b/bgpd/bgp_fsm.c
@@ -2106,6 +2106,10 @@ static int bgp_establish(struct peer *peer)
        int status;
 
        other = peer->doppelganger;
+       hash_release(peer->bgp->peerhash, peer);
+       if (other)
+               hash_release(peer->bgp->peerhash, other);
+
        peer = peer_xfer_conn(peer);
        if (!peer) {
                flog_err(EC_BGP_CONNECT, "%%Neighbor failed in xfer_conn");
@@ -2310,7 +2314,6 @@ static int bgp_establish(struct peer *peer)
         * the doppelgangers su and this peer's su are the same
         * so the hash_release is the same for either.
         */
-       hash_release(peer->bgp->peerhash, peer);
        (void)hash_get(peer->bgp->peerhash, peer, hash_alloc_intern);
 
        /* Start BFD peer if not already running. */