diff options
| author | Donald Sharp <sharpd@nvidia.com> | 2024-03-13 10:26:58 -0400 |
|---|---|---|
| committer | Donald Sharp <sharpd@nvidia.com> | 2024-03-13 19:28:11 -0400 |
| commit | e613e12f12b9274520ff2a8650496bdeb97e011c (patch) | |
| tree | e398aa39fa777e80ca5fa03ce2184f3ec2cfcacc | |
| parent | 75bd2716cf131e8e63f0da9cf5e37717341907ae (diff) | |
bgpd: Ensure that the correct aspath is free'd
Currently in subgroup_default_originate the attr.aspath
is set in bgp_attr_default_set, which hashs the aspath
and creates a refcount for it. If this is a withdraw
the subgroup_announce_check and bgp_adj_out_set_subgroup
is called which will intern the attribute. This will
cause the the attr.aspath to be set to a new value
finally at the bottom of the function it intentionally
uninterns the aspath which is not the one that was
created for this function. This reduces the other
aspath's refcount by 1 and if a clear bgp * is issued
fast enough the aspath for that will be removed
and the system will crash.
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
| -rw-r--r-- | bgpd/bgp_updgrp_adv.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/bgpd/bgp_updgrp_adv.c b/bgpd/bgp_updgrp_adv.c index cc039e3e11..e70713bb68 100644 --- a/bgpd/bgp_updgrp_adv.c +++ b/bgpd/bgp_updgrp_adv.c @@ -854,6 +854,7 @@ void subgroup_default_originate(struct update_subgroup *subgrp, bool withdraw) struct bgp *bgp; struct attr attr; struct attr *new_attr = &attr; + struct aspath *aspath; struct prefix p; struct peer *from; struct bgp_dest *dest; @@ -891,6 +892,7 @@ void subgroup_default_originate(struct update_subgroup *subgrp, bool withdraw) /* make coverity happy */ assert(attr.aspath); + aspath = attr.aspath; attr.med = 0; attr.flag |= ATTR_FLAG_BIT(BGP_ATTR_MULTI_EXIT_DISC); @@ -1046,7 +1048,7 @@ void subgroup_default_originate(struct update_subgroup *subgrp, bool withdraw) } } - aspath_unintern(&attr.aspath); + aspath_unintern(&aspath); } /* |