diff options
| author | Renato Westphal <renato@opensourcerouting.org> | 2016-11-28 16:47:13 -0200 |
|---|---|---|
| committer | David Lamparter <equinox@opensourcerouting.org> | 2016-12-01 16:34:19 +0100 |
| commit | ff999357fd95690c8105b9da24aa39a2b7ce51a6 (patch) | |
| tree | b7b5dcabf03aeaa3c0b1bac34b6f0067e56f591d | |
| parent | 34620e24b5d8fcb0d66f77dfb39bcd8da636564a (diff) | |
bgpd: fix invalid memory access in peer_free()
We shoult not call bgp_unlock() before calling
bgp_delete_connected_nexthop() in the peer_free() function. Otherwise,
if bgp->lock reaches zero, bgp_free() is called and peer->bgp becomes
an invalid pointer in the bgp_delete_connected_nexthop() function.
To fix this, move the call to bgp_unlock() to the end of peer_free().
Bug exposed by commit 37d361e ("bgpd: plug several memleaks").
Signed-off-by: Renato Westphal <renato@opensourcerouting.org>
Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
| -rw-r--r-- | bgpd/bgpd.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/bgpd/bgpd.c b/bgpd/bgpd.c index 7554b512e8..7675df226b 100644 --- a/bgpd/bgpd.c +++ b/bgpd/bgpd.c @@ -1018,8 +1018,6 @@ peer_free (struct peer *peer) { assert (peer->status == Deleted); - bgp_unlock(peer->bgp); - /* this /ought/ to have been done already through bgp_stop earlier, * but just to be sure.. */ @@ -1085,6 +1083,8 @@ peer_free (struct peer *peer) bfd_info_free(&(peer->bfd_info)); + bgp_unlock(peer->bgp); + memset (peer, 0, sizeof (struct peer)); XFREE (MTYPE_BGP_PEER, peer); |