From 765945feed90e466dcb992904e3ef3096eb0d612 Mon Sep 17 00:00:00 2001
From: Petr Vaganov <petrvaganoff@gmail.com>
Date: Mon, 21 Apr 2025 20:52:24 +0500
Subject: [PATCH] bgpd: Fix deref after free in bgp_vrf_unlink

Found by the static analyzer Svace (ISP RAS): DEREF_AFTER_FREE -
Pointer '&bgp->vrf_id' is dereferenced after the referenced memory
was deallocated by passing as 1st parameter to function 'bgp_unlock'.

Signed-off-by: Petr Vaganov <petrvaganoff@gmail.com>
---
 bgpd/bgpd.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bgpd/bgpd.h b/bgpd/bgpd.h
index bbc45994b4..2249a266c4 100644
--- a/bgpd/bgpd.h
+++ b/bgpd/bgpd.h
@@ -2959,11 +2959,11 @@ static inline void bgp_vrf_link(struct bgp *bgp, struct vrf *vrf)
 /* Unlink BGP instance from VRF. */
 static inline void bgp_vrf_unlink(struct bgp *bgp, struct vrf *vrf)
 {
+	bgp->vrf_id = VRF_UNKNOWN;
 	if (vrf->info == (void *)bgp) {
 		vrf->info = NULL;
 		bgp_unlock(bgp);
 	}
-	bgp->vrf_id = VRF_UNKNOWN;
 }
 
 static inline bool bgp_in_graceful_shutdown(struct bgp *bgp)
-- 
2.39.5