From: Petr Vaganov <petrvaganoff@gmail.com>
Date: Mon, 21 Apr 2025 15:52:24 +0000 (+0500)
Subject: bgpd: Fix deref after free in bgp_vrf_unlink
X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=765945feed90e466dcb992904e3ef3096eb0d612;p=mirror%2Ffrr.git

bgpd: Fix deref after free in bgp_vrf_unlink

Found by the static analyzer Svace (ISP RAS): DEREF_AFTER_FREE -
Pointer '&bgp->vrf_id' is dereferenced after the referenced memory
was deallocated by passing as 1st parameter to function 'bgp_unlock'.

Signed-off-by: Petr Vaganov <petrvaganoff@gmail.com>
---

diff --git a/bgpd/bgpd.h b/bgpd/bgpd.h
index bbc45994b4..2249a266c4 100644
--- a/bgpd/bgpd.h
+++ b/bgpd/bgpd.h
@@ -2959,11 +2959,11 @@ static inline void bgp_vrf_link(struct bgp *bgp, struct vrf *vrf)
 /* Unlink BGP instance from VRF. */
 static inline void bgp_vrf_unlink(struct bgp *bgp, struct vrf *vrf)
 {
+	bgp->vrf_id = VRF_UNKNOWN;
 	if (vrf->info == (void *)bgp) {
 		vrf->info = NULL;
 		bgp_unlock(bgp);
 	}
-	bgp->vrf_id = VRF_UNKNOWN;
 }
 
 static inline bool bgp_in_graceful_shutdown(struct bgp *bgp)