[cmaster-next] [PATCH] bgpd: fix invalid memory access in peer_free()
David Lamparter
equinox at opensourcerouting.org
Thu Dec 1 10:38:27 EST 2016
I've applied it on stable/2.0 even though we don't have the "plug
memleaks" patch there. (Maybe we should?)
-David
On Mon, Nov 28, 2016 at 04:47:13PM -0200, Renato Westphal wrote:
> We shoult not call bgp_unlock() before calling
> bgp_delete_connected_nexthop() in the peer_free() function. Otherwise,
> if bgp->lock reaches zero, bgp_free() is called and peer->bgp becomes
> an invalid pointer in the bgp_delete_connected_nexthop() function.
>
> To fix this, move the call to bgp_unlock() to the end of peer_free().
>
> Bug exposed by commit 37d361e ("bgpd: plug several memleaks").
>
> Signed-off-by: Renato Westphal <renato at opensourcerouting.org>
> ---
> bgpd/bgpd.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/bgpd/bgpd.c b/bgpd/bgpd.c
> index 22d4dd8..d5aff84 100644
> --- a/bgpd/bgpd.c
> +++ b/bgpd/bgpd.c
> @@ -1019,8 +1019,6 @@ peer_free (struct peer *peer)
> {
> assert (peer->status == Deleted);
>
> - bgp_unlock(peer->bgp);
> -
> /* this /ought/ to have been done already through bgp_stop earlier,
> * but just to be sure..
> */
> @@ -1092,6 +1090,8 @@ peer_free (struct peer *peer)
>
> bfd_info_free(&(peer->bfd_info));
>
> + bgp_unlock(peer->bgp);
> +
> memset (peer, 0, sizeof (struct peer));
>
> XFREE (MTYPE_BGP_PEER, peer);
> --
> 1.9.1
>
>
> _______________________________________________
> cmaster-next mailing list
> cmaster-next at lists.nox.tf
> https://lists.nox.tf/listinfo/cmaster-next
More information about the dev
mailing list