bgpd: Fix crash reported by NetDEF CI

This patch is part of the previously submitted patch set on VPN and
Encap SAFIs.  It fixes an issue identified by NetDEF CI.

Ensure temp stack structures are initialized Add protection against
double frees / post free access to bgp_attr_flush

Signed-off-by: Lou Berger <lberger@labn.net>

diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index b1388d0c4eb34a5716bd9879a78021d950f5fee6..220acb3ea8335030a0231c472ce559683286c63d 100644 (file)
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -962,9 +962,15 @@ void
 bgp_attr_flush (struct attr *attr)
 {
   if (attr->aspath && ! attr->aspath->refcnt)
-    aspath_free (attr->aspath);
+    {
+      aspath_free (attr->aspath);
+      attr->aspath = NULL;
+    }
   if (attr->community && ! attr->community->refcnt)
-    community_free (attr->community);
+    {
+      community_free (attr->community);
+      attr->community = NULL;
+    }
   if (attr->extra)
     {
       struct attr_extra *attre = attr->extra;
@@ -972,9 +978,15 @@ bgp_attr_flush (struct attr *attr)
       if (attre->ecommunity && ! attre->ecommunity->refcnt)
         ecommunity_free (&attre->ecommunity);
       if (attre->cluster && ! attre->cluster->refcnt)
-        cluster_free (attre->cluster);
+        {
+          cluster_free (attre->cluster);
+          attre->cluster = NULL;
+        }
       if (attre->transit && ! attre->transit->refcnt)
-        transit_free (attre->transit);
+        {
+          transit_free (attre->transit);
+          attre->transit = NULL;
+        }
       encap_free(attre->encap_subtlvs);
       attre->encap_subtlvs = NULL;
 #if ENABLE_BGP_VNC

diff --git a/bgpd/bgp_route.c b/bgpd/bgp_route.c
index 764bb6c438d8c521e50f6ceab783994fb4b1c70c..afb37aeef6a8f6743234697358206cbf03a76da7 100644 (file)
--- a/bgpd/bgp_route.c
+++ b/bgpd/bgp_route.c
@@ -2359,6 +2359,9 @@ bgp_update (struct peer *peer, struct prefix *p, u_int32_t addpath_id,
   int vnc_implicit_withdraw = 0;
 #endif
 
+  memset (&new_attr, 0, sizeof(struct attr));
+  memset (&new_extra, 0, sizeof(struct attr_extra));
+
   bgp = peer->bgp;
   rn = bgp_afi_node_get (bgp->rib[afi][safi], afi, safi, p, prd);