commit 370b7e59170acf853ca3357c71dd5ab0d85e763c
author Lou Berger <lberger@labn.net> Thu Feb 04 21:29:49 2016 -0500
committer Paul Jakma <paul.jakma@hpe.com> Tue Mar 08 17:53:22 2016 +0000
tree 24cd286ecd47f6c6439e1c5971a1abbacb9e5c3a
parent bf83fa25f1bddec6f09ad879cba5e975a3ae5495

bgpd: Fix crash reported by NetDEF CI

This patch is part of the previously submitted
 patch set on VPN and Encap SAFIs.  It fixes
 an issue identified by NetDEF CI.

 Ensure temp stack structures are initialized
 Add protection against double frees / post
 free access to bgp_attr_flush

    Signed-off-by: Lou Berger <lberger@labn.net>

bgpd/bgp_attr.c

diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index d74e0ef..f34e649 100644
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -833,9 +833,15 @@
 bgp_attr_flush (struct attr *attr)
 {
   if (attr->aspath && ! attr->aspath->refcnt)
-    aspath_free (attr->aspath);
+    {
+      aspath_free (attr->aspath);
+      attr->aspath = NULL;
+    }
   if (attr->community && ! attr->community->refcnt)
-    community_free (attr->community);
+    {
+      community_free (attr->community);
+      attr->community = NULL;
+    }
   if (attr->extra)
     {
       struct attr_extra *attre = attr->extra;
@@ -843,9 +849,15 @@
       if (attre->ecommunity && ! attre->ecommunity->refcnt)
         ecommunity_free (&attre->ecommunity);
       if (attre->cluster && ! attre->cluster->refcnt)
-        cluster_free (attre->cluster);
+        {
+          cluster_free (attre->cluster);
+          attre->cluster = NULL;
+        }
       if (attre->transit && ! attre->transit->refcnt)
-        transit_free (attre->transit);
+        {
+          transit_free (attre->transit);
+          attre->transit = NULL;
+        }
       encap_free(attre->encap_subtlvs);
       attre->encap_subtlvs = NULL;
     }

bgpd/bgp_route.c

diff --git a/bgpd/bgp_route.c b/bgpd/bgp_route.c
index 2728b10..c364372 100644
--- a/bgpd/bgp_route.c
+++ b/bgpd/bgp_route.c
@@ -2121,6 +2121,9 @@
   const char *reason;
   char buf[SU_ADDRSTRLEN];
 
+  memset (&new_attr, 0, sizeof(struct attr));
+  memset (&new_extra, 0, sizeof(struct attr_extra));
+
   bgp = peer->bgp;
   rn = bgp_afi_node_get (bgp->rib[afi][safi], afi, safi, p, prd);