From: Stephen Hemminger <shemminger@vyatta.com>
Date: Thu, 5 Aug 2010 17:26:31 +0000 (-0700)
Subject: bgpd: fix use of free memory by update_rsclient
X-Git-Tag: frr-2.0-rc1~2106
X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=7badc26301c8063dc2c6f171c11f9af4f3d0df20;p=mirror%2Ffrr.git

bgpd: fix use of free memory by update_rsclient

* bgp_route.c: (bgp_static_update_rsclient) BGP sometimes crashes when
  removing route server client because of use after free.

  The code to update rsclient created a local static copy of bgp attributes
  but neglected to handle the extra information pointer.  The extra
  information was getting freed by bgp_attr_unintern() and reused later when
  the copy was passed to bgp_attr_intern().

  The fix is to use the attr_dup function to create a copy of the extra
  information, then clean it up.
---

diff --git a/bgpd/bgp_route.c b/bgpd/bgp_route.c
index 8b0a3bf9c1..fd51ad1a5b 100644
--- a/bgpd/bgp_route.c
+++ b/bgpd/bgp_route.c
@@ -3280,7 +3280,7 @@ bgp_static_update_rsclient (struct peer *rsclient, struct prefix *p,
   else
     attr_new = bgp_attr_intern (&attr);
   
-  new_attr = *attr_new;
+  bgp_attr_dup(&new_attr, attr_new);
   
   SET_FLAG (bgp->peer_self->rmap_type, PEER_RMAP_TYPE_NETWORK);
 
@@ -3309,6 +3309,7 @@ bgp_static_update_rsclient (struct peer *rsclient, struct prefix *p,
 
   bgp_attr_unintern (attr_new);
   attr_new = bgp_attr_intern (&new_attr);
+  bgp_attr_extra_free (&new_attr);
 
   for (ri = rn->info; ri; ri = ri->next)
     if (ri->peer == bgp->peer_self && ri->type == ZEBRA_ROUTE_BGP