From: Donald Sharp Date: Sat, 20 May 2017 12:22:23 +0000 (-0400) Subject: bgpd: Fix crash when going down X-Git-Tag: reindent-master-before~127^2 X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=refs%2Fpull%2F596%2Fhead;p=mirror%2Ffrr.git bgpd: Fix crash when going down When bgp is sent a SIGINT signal with vrf's configured bgp proceeds to crash on the way down. This is because the bm->bgp list was deleted( but the pointer was kept around) and then later in the going down process vrf_terminate is called which attempts to find any associated processes. Since memory has been freed and subsuquently used for something else we get a corrupt bgp pointer and bgp crashes. Here is the trace: (gdb) bt at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 at sigevent.c:255 at thread.c:1315 (gdb) Multiple protocols besides bgp and zebra running are needed to make this happen as well. So a weird timing related issue? Signed-off-by: Donald Sharp --- diff --git a/bgpd/bgp_main.c b/bgpd/bgp_main.c index 8714820e2a..9fcbff0f53 100644 --- a/bgpd/bgp_main.c +++ b/bgpd/bgp_main.c @@ -194,7 +194,6 @@ bgp_exit (int status) /* reverse bgp_master_init */ for (ALL_LIST_ELEMENTS (bm->bgp, node, nnode, bgp)) bgp_delete (bgp); - list_free (bm->bgp); /* reverse bgp_dump_init */ bgp_dump_finish (); @@ -246,6 +245,7 @@ bgp_exit (int status) closezlog (); + list_delete (bm->bgp); memset (bm, 0, sizeof (*bm)); if (bgp_debug_count())