commit 7badc26301c8063dc2c6f171c11f9af4f3d0df20
author Stephen Hemminger <shemminger@vyatta.com> Thu Aug 05 10:26:31 2010 -0700
committer Paul Jakma <paul@quagga.net> Mon Mar 21 13:15:32 2011 +0000
tree 32ccf03522bacb163529e00c10df4798e5365808
parent 368473f6120ff295253bcc0d774c6bd75d8cf98b

bgpd: fix use of free memory by update_rsclient

* bgp_route.c: (bgp_static_update_rsclient) BGP sometimes crashes when
  removing route server client because of use after free.

  The code to update rsclient created a local static copy of bgp attributes
  but neglected to handle the extra information pointer.  The extra
  information was getting freed by bgp_attr_unintern() and reused later when
  the copy was passed to bgp_attr_intern().

  The fix is to use the attr_dup function to create a copy of the extra
  information, then clean it up.

bgpd/bgp_route.c

diff --git a/bgpd/bgp_route.c b/bgpd/bgp_route.c
index 8b0a3bf..fd51ad1 100644
--- a/bgpd/bgp_route.c
+++ b/bgpd/bgp_route.c
@@ -3280,7 +3280,7 @@
   else
     attr_new = bgp_attr_intern (&attr);
   
-  new_attr = *attr_new;
+  bgp_attr_dup(&new_attr, attr_new);
   
   SET_FLAG (bgp->peer_self->rmap_type, PEER_RMAP_TYPE_NETWORK);
 
@@ -3309,6 +3309,7 @@
 
   bgp_attr_unintern (attr_new);
   attr_new = bgp_attr_intern (&new_attr);
+  bgp_attr_extra_free (&new_attr);
 
   for (ri = rn->info; ri; ri = ri->next)
     if (ri->peer == bgp->peer_self && ri->type == ZEBRA_ROUTE_BGP