bgpd: fix use of free memory by update_rsclient

* bgp_route.c: (bgp_static_update_rsclient) BGP sometimes crashes when
  removing route server client because of use after free.

  The code to update rsclient created a local static copy of bgp attributes
  but neglected to handle the extra information pointer.  The extra
  information was getting freed by bgp_attr_unintern() and reused later when
  the copy was passed to bgp_attr_intern().

  The fix is to use the attr_dup function to create a copy of the extra
  information, then clean it up.

diff --git a/bgpd/bgp_route.c b/bgpd/bgp_route.c
index 8b0a3bf9c16d5a88bbc94a5c814702449c07c3a4..fd51ad1a5bac66add9517e9be491c55b11f13957 100644 (file)
--- a/bgpd/bgp_route.c
+++ b/bgpd/bgp_route.c
@@ -3280,7 +3280,7 @@ bgp_static_update_rsclient (struct peer *rsclient, struct prefix *p,
   else
     attr_new = bgp_attr_intern (&attr);
   
-  new_attr = *attr_new;
+  bgp_attr_dup(&new_attr, attr_new);
   
   SET_FLAG (bgp->peer_self->rmap_type, PEER_RMAP_TYPE_NETWORK);
 
@@ -3309,6 +3309,7 @@ bgp_static_update_rsclient (struct peer *rsclient, struct prefix *p,
 
   bgp_attr_unintern (attr_new);
   attr_new = bgp_attr_intern (&new_attr);
+  bgp_attr_extra_free (&new_attr);
 
   for (ri = rn->info; ri; ri = ri->next)
     if (ri->peer == bgp->peer_self && ri->type == ZEBRA_ROUTE_BGP