bgpd: fix invalid memory access in peer_free() We shoult not call bgp_unlock() before calling bgp_delete_connected_nexthop() in the peer_free() function. Otherwise, if bgp->lock reaches zero, bgp_free() is called and peer->bgp becomes an invalid pointer in the bgp_delete_connected_nexthop() function. To fix this, move the call to bgp_unlock() to the end of peer_free().

commit: 670f3dba6721a500418b5793a2b00579198d2bd7 [log] [tgz]
author: Renato Westphal <renato@opensourcerouting.org> Mon Nov 28 16:47:13 2016 -0200
committer: Paul Jakma <paul@quagga.net> Mon Jan 23 18:51:57 2017 +0000
tree: 6ad3c568371acfc18e96883644f76ecdedd34d07
parent: 4d48bb360db5148b18524d06616555b06342fa68 [diff]
diff --git a/bgpd/bgpd.c b/bgpd/bgpd.c
index 56e4322..69ab7da 100644
--- a/bgpd/bgpd.c
+++ b/bgpd/bgpd.c

@@ -736,8 +736,6 @@
 {
   assert (peer->status == Deleted);
 
-  bgp_unlock(peer->bgp);
-
   /* this /ought/ to have been done already through bgp_stop earlier,
    * but just to be sure.. 
    */
@@ -782,6 +780,9 @@
     XFREE(MTYPE_TMP, peer->notify.data);
   
   bgp_sync_delete (peer);
+
+  bgp_unlock(peer->bgp);
+
   memset (peer, 0, sizeof (struct peer));
   
   XFREE (MTYPE_BGP_PEER, peer);
commit	670f3dba6721a500418b5793a2b00579198d2bd7	[log] [tgz]
author	Renato Westphal <renato@opensourcerouting.org>	Mon Nov 28 16:47:13 2016 -0200
committer	Paul Jakma <paul@quagga.net>	Mon Jan 23 18:51:57 2017 +0000
tree	6ad3c568371acfc18e96883644f76ecdedd34d07
parent	4d48bb360db5148b18524d06616555b06342fa68 [diff]