From: Mobashshera Rasool <mrasool@vmware.com>
Date: Tue, 4 Aug 2020 06:24:29 +0000 (+0000)
Subject: pimd: crash fix when RP is removed
X-Git-Tag: base_7.5~123^2
X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=refs%2Fpull%2F6850%2Fhead;p=mirror%2Ffrr.git

pimd: crash fix when RP is removed

pimd crash at pim_msg_build_jp_groups (
grp=grp@entry=0x7ffca55b5d1e, sgs=sgs@entry=0x17821a0, size=20)
 at pimd/pim_msg.c:198

Fix for https://github.com/FRRouting/frr/issues/6849

Root Cause:
===========
pimd has crashed because pim_upstream_rpf_clear function sets the
up->rpf.source_nexthop.interface pointer to NULL and has not removed
the upstream source node from the neighbor. When the upstream gets
deleted the source is not removed from neighbor
neigh->upstream_jp_agg->groups->sources list. This source node has
pointer to upstream freed memory. Hence when on_neighbor_jp_timer expires,
it tries to access the upstream pointer and crashed.

Fix:
====
Before setting the interface pointer to NULL, remove the node from
neigh->upstream_jp_agg->groups->sources list. Also the upstream state
has to be changed to Not joined.

Removed extra line changes.

Signed-off-by: Mobashshera Rasool <mrasool@vmware.com>
---

diff --git a/pimd/pim_rpf.c b/pimd/pim_rpf.c
index f971520c86..043ccdb848 100644
--- a/pimd/pim_rpf.c
+++ b/pimd/pim_rpf.c
@@ -346,6 +346,7 @@ void pim_upstream_rpf_clear(struct pim_instance *pim,
 			    struct pim_upstream *up)
 {
 	if (up->rpf.source_nexthop.interface) {
+		pim_upstream_switch(pim, up, PIM_UPSTREAM_NOTJOINED);
 		up->rpf.source_nexthop.interface = NULL;
 		up->rpf.source_nexthop.mrib_nexthop_addr.u.prefix4.s_addr =
 			PIM_NET_INADDR_ANY;