bgpd: Notice when we unlock if we should NULL pointer

The bi->net pointer that is being unlocked had a commit
that removed the `bi->net = NULL;` recently.  This code
was preventing a use after free crash being experienced
in other code paths.  While commit 37e679629f9 was fixing
a different code path crash.

Make the parent->net pointer aware it may be locked/freed
from multiple places and to not NULL the pointer to it
unless we have actually freed the data.

Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>

diff --git a/bgpd/bgp_route.c b/bgpd/bgp_route.c
index 7fbc6d9a65196b2c7d75dbdb0c7a270930ba7ec4..9ba9eb1e59e551c31ca2051abd71227e3b581cd3 100644 (file)
--- a/bgpd/bgp_route.c
+++ b/bgpd/bgp_route.c
@@ -188,7 +188,7 @@ static void bgp_info_extra_free(struct bgp_info_extra **extra)
                struct bgp_info *bi = (struct bgp_info *)e->parent;
 
                if (bi->net)
-                       bgp_unlock_node((struct bgp_node *)bi->net);
+                       bi->net = bgp_unlock_node((struct bgp_node *)bi->net);
                bgp_info_unlock(e->parent);
                e->parent = NULL;
        }

diff --git a/bgpd/bgp_table.h b/bgpd/bgp_table.h
index 60c2cbd4a483c3e646595ebc4434b2f16badd6ff..f7eac095463ebb11ab819478d1cf96fafa8378e9 100644 (file)
--- a/bgpd/bgp_table.h
+++ b/bgpd/bgp_table.h
@@ -128,9 +128,9 @@ static inline struct bgp_node *bgp_node_parent_nolock(struct bgp_node *node)
 /*
  * bgp_unlock_node
  */
-static inline void bgp_unlock_node(struct bgp_node *node)
+static inline struct bgp_node *bgp_unlock_node(struct bgp_node *node)
 {
-       route_unlock_node(bgp_node_to_rnode(node));
+       return (struct bgp_node *)route_unlock_node(bgp_node_to_rnode(node));
 }
 
 /*