bgpd: fix invalid memory access in peer_free()

We shoult not call bgp_unlock() before calling
bgp_delete_connected_nexthop() in the peer_free() function. Otherwise,
if bgp->lock reaches zero, bgp_free() is called and peer->bgp becomes
an invalid pointer in the bgp_delete_connected_nexthop() function.

To fix this, move the call to bgp_unlock() to the end of peer_free().

Bug exposed by commit 37d361e ("bgpd: plug several memleaks").

Signed-off-by: Renato Westphal <renato@opensourcerouting.org>

diff --git a/bgpd/bgpd.c b/bgpd/bgpd.c
index 22d4dd8917fb47fe13d66cf3474f09cc776135cb..d5aff84dae2f1f8ee9eba3bbeb1d39cf1d499f17 100644 (file)
--- a/bgpd/bgpd.c
+++ b/bgpd/bgpd.c
@@ -1019,8 +1019,6 @@ peer_free (struct peer *peer)
 {
   assert (peer->status == Deleted);
 
-  bgp_unlock(peer->bgp);
-
   /* this /ought/ to have been done already through bgp_stop earlier,
    * but just to be sure.. 
    */
@@ -1092,6 +1090,8 @@ peer_free (struct peer *peer)
 
   bfd_info_free(&(peer->bfd_info));
 
+  bgp_unlock(peer->bgp);
+
   memset (peer, 0, sizeof (struct peer));
   
   XFREE (MTYPE_BGP_PEER, peer);