From 40965e599975b019bbe6f4b1dfb3ff22d8980876 Mon Sep 17 00:00:00 2001
From: Rajasekar Raja <rajasekarr@nvidia.com>
Date: Mon, 22 Jul 2024 10:13:19 -0700
Subject: [PATCH] bgpd: backpressure - Avoid use after free

Coverity complains there is a use after free (1598495 and 1598496)
At this point, most likely dest->refcount cannot go 1 and free up
the dest, but there might be some code path where this can happen.

Fixing this with a simple order change (no harm fix).

Ticket :#4001204

Signed-off-by: Rajasekar Raja <rajasekarr@nvidia.com>
---
 bgpd/bgp_evpn.c | 2 +-
 bgpd/bgpd.c     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/bgpd/bgp_evpn.c b/bgpd/bgp_evpn.c
index baf1d4ca6d..7706a3eca4 100644
--- a/bgpd/bgp_evpn.c
+++ b/bgpd/bgp_evpn.c
@@ -6339,9 +6339,9 @@ void bgp_evpn_free(struct bgp *bgp, struct bgpevpn *vpn)
 	     dest = dest_next) {
 		dest_next = zebra_announce_next(&bm->zebra_announce_head, dest);
 		if (dest->za_vpn == vpn) {
+			zebra_announce_del(&bm->zebra_announce_head, dest);
 			bgp_path_info_unlock(dest->za_bgp_pi);
 			bgp_dest_unlock_node(dest);
-			zebra_announce_del(&bm->zebra_announce_head, dest);
 		}
 	}
 
diff --git a/bgpd/bgpd.c b/bgpd/bgpd.c
index ec329d0c54..043a6e201c 100644
--- a/bgpd/bgpd.c
+++ b/bgpd/bgpd.c
@@ -3954,9 +3954,9 @@ int bgp_delete(struct bgp *bgp)
 		dest_next = zebra_announce_next(&bm->zebra_announce_head, dest);
 		dest_table = bgp_dest_table(dest);
 		if (dest_table->bgp == bgp) {
+			zebra_announce_del(&bm->zebra_announce_head, dest);
 			bgp_path_info_unlock(dest->za_bgp_pi);
 			bgp_dest_unlock_node(dest);
-			zebra_announce_del(&bm->zebra_announce_head, dest);
 		}
 	}
 
-- 
2.39.5