From f9a3a26046d9e3cf702776370f5c90ac6d5e1ec9 Mon Sep 17 00:00:00 2001
From: Lou Berger <lberger@labn.net>
Date: Thu, 4 Feb 2016 21:29:49 -0500
Subject: [PATCH] bgpd: Fix crash reported by NetDEF CI

This patch is part of the previously submitted patch set on VPN and
Encap SAFIs.  It fixes an issue identified by NetDEF CI.

Ensure temp stack structures are initialized Add protection against
double frees / post free access to bgp_attr_flush

Signed-off-by: Lou Berger <lberger@labn.net>
---
 bgpd/bgp_attr.c  | 20 ++++++++++++++++----
 bgpd/bgp_route.c |  3 +++
 2 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index b1388d0c4e..220acb3ea8 100644
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -962,9 +962,15 @@ void
 bgp_attr_flush (struct attr *attr)
 {
   if (attr->aspath && ! attr->aspath->refcnt)
-    aspath_free (attr->aspath);
+    {
+      aspath_free (attr->aspath);
+      attr->aspath = NULL;
+    }
   if (attr->community && ! attr->community->refcnt)
-    community_free (attr->community);
+    {
+      community_free (attr->community);
+      attr->community = NULL;
+    }
   if (attr->extra)
     {
       struct attr_extra *attre = attr->extra;
@@ -972,9 +978,15 @@ bgp_attr_flush (struct attr *attr)
       if (attre->ecommunity && ! attre->ecommunity->refcnt)
         ecommunity_free (&attre->ecommunity);
       if (attre->cluster && ! attre->cluster->refcnt)
-        cluster_free (attre->cluster);
+        {
+          cluster_free (attre->cluster);
+          attre->cluster = NULL;
+        }
       if (attre->transit && ! attre->transit->refcnt)
-        transit_free (attre->transit);
+        {
+          transit_free (attre->transit);
+          attre->transit = NULL;
+        }
       encap_free(attre->encap_subtlvs);
       attre->encap_subtlvs = NULL;
 #if ENABLE_BGP_VNC
diff --git a/bgpd/bgp_route.c b/bgpd/bgp_route.c
index 764bb6c438..afb37aeef6 100644
--- a/bgpd/bgp_route.c
+++ b/bgpd/bgp_route.c
@@ -2359,6 +2359,9 @@ bgp_update (struct peer *peer, struct prefix *p, u_int32_t addpath_id,
   int vnc_implicit_withdraw = 0;
 #endif
 
+  memset (&new_attr, 0, sizeof(struct attr));
+  memset (&new_extra, 0, sizeof(struct attr_extra));
+
   bgp = peer->bgp;
   rn = bgp_afi_node_get (bgp->rib[afi][safi], afi, safi, p, prd);
   
-- 
2.39.5