bgpd: fix Dereference of null pointer in flowspec

a dereference of null pointer exists in current flowspec code, with
prefix pointer. check validity of pointer before going ahead.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>

diff --git a/bgpd/bgp_flowspec_util.c b/bgpd/bgp_flowspec_util.c
index 0115d7af1eb5bda35184641bda83f2515ebd8398..90e9236385845d8e5804645417c96d7425bdc5dc 100644 (file)
--- a/bgpd/bgp_flowspec_util.c
+++ b/bgpd/bgp_flowspec_util.c
@@ -228,10 +228,12 @@ int bgp_flowspec_ip_address(enum bgp_flowspec_util_nlri_t type,
                                   BGP_FLOWSPEC_STRING_DISPLAY_MAX);
                break;
        case BGP_FLOWSPEC_CONVERT_TO_NON_OPAQUE:
-               if (prefix_local.family == AF_INET)
-                       PREFIX_COPY_IPV4(prefix, &prefix_local)
-               else
-                       PREFIX_COPY_IPV6(prefix, &prefix_local)
+               if (prefix) {
+                       if (prefix_local.family == AF_INET)
+                               PREFIX_COPY_IPV4(prefix, &prefix_local)
+                       else
+                               PREFIX_COPY_IPV6(prefix, &prefix_local)
+               }
                break;
        case BGP_FLOWSPEC_VALIDATE_ONLY:
        default:

diff --git a/bgpd/bgp_flowspec_vty.c b/bgpd/bgp_flowspec_vty.c
index 92bec6f88a32ea7e031aefd84411d8348556d91c..798bce82190933c6fb367685cfe58461d313d63a 100644 (file)
--- a/bgpd/bgp_flowspec_vty.c
+++ b/bgpd/bgp_flowspec_vty.c
@@ -274,36 +274,33 @@ void route_vty_out_flowspec(struct vty *vty, const struct prefix *p,
                dest = path->net;
        if (dest)
                bgp_dest_get_bgp_table_info(dest);
-       /* Print prefix */
-       if (p != NULL) {
-               if (p->family != AF_FLOWSPEC)
-                       return;
-               if (json_paths) {
-                       if (display == NLRI_STRING_FORMAT_JSON)
-                               json_nlri_path = json_object_new_object();
-                       else
-                               json_nlri_path = json_paths;
-               }
-               if (display == NLRI_STRING_FORMAT_LARGE && path)
-                       vty_out(vty, "BGP flowspec entry: (flags 0x%x)\n",
-                               path->flags);
-               bgp_fs_nlri_get_string((unsigned char *)
-                                      p->u.prefix_flowspec.ptr,
-                                      p->u.prefix_flowspec.prefixlen,
-                                      return_string,
-                                      display,
-                                      json_nlri_path,
-                                      family2afi(p->u.prefix_flowspec
-                                                 .family));
-               if (display == NLRI_STRING_FORMAT_LARGE)
-                       vty_out(vty, "%s", return_string);
-               else if (display == NLRI_STRING_FORMAT_DEBUG)
-                       vty_out(vty, "%s", return_string);
-               else if (display == NLRI_STRING_FORMAT_MIN)
-                       vty_out(vty, " %-30s", return_string);
-               else if (json_paths && display == NLRI_STRING_FORMAT_JSON)
-                       json_object_array_add(json_paths, json_nlri_path);
+       if (p == NULL || p->family != AF_FLOWSPEC)
+               return;
+       if (json_paths) {
+               if (display == NLRI_STRING_FORMAT_JSON)
+                       json_nlri_path = json_object_new_object();
+               else
+                       json_nlri_path = json_paths;
        }
+       if (display == NLRI_STRING_FORMAT_LARGE && path)
+               vty_out(vty, "BGP flowspec entry: (flags 0x%x)\n",
+                       path->flags);
+       bgp_fs_nlri_get_string((unsigned char *)
+                              p->u.prefix_flowspec.ptr,
+                              p->u.prefix_flowspec.prefixlen,
+                              return_string,
+                              display,
+                              json_nlri_path,
+                              family2afi(p->u.prefix_flowspec
+                                         .family));
+       if (display == NLRI_STRING_FORMAT_LARGE)
+               vty_out(vty, "%s", return_string);
+       else if (display == NLRI_STRING_FORMAT_DEBUG)
+               vty_out(vty, "%s", return_string);
+       else if (display == NLRI_STRING_FORMAT_MIN)
+               vty_out(vty, " %-30s", return_string);
+       else if (json_paths && display == NLRI_STRING_FORMAT_JSON)
+               json_object_array_add(json_paths, json_nlri_path);
        if (!path)
                return;
        if (path->attr &&