From 859cbd75e12966b09985b2a992da5ffb250938f8 Mon Sep 17 00:00:00 2001
From: Ondrej Zajicek <santiago@crfreenet.org>
Date: Mon, 14 Apr 2014 12:50:03 +0200
Subject: [PATCH] Fixes a bug in (mainly) IPv6 BGP.

Stack variable may be used unitialized and that would lead to spurious
rta_free(), which may cause crash. The bug was introduced in 1.4.1 from
merging add-path branch.

Thanks to Peter Andreev for reporting it and Alexander V. Chernikov for
resolving it.
---
 proto/bgp/packets.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/proto/bgp/packets.c b/proto/bgp/packets.c
index 808afaa9..b6239025 100644
--- a/proto/bgp/packets.c
+++ b/proto/bgp/packets.c
@@ -1082,7 +1082,7 @@ bgp_do_rx_update(struct bgp_conn *conn,
 {
   struct bgp_proto *p = conn->bgp;
   struct rte_src *src = p->p.main_source;
-  rta *a0, *a;
+  rta *a0, *a = NULL;
   ip_addr prefix;
   int pxlen, err = 0;
   u32 path_id = 0;
@@ -1115,7 +1115,6 @@ bgp_do_rx_update(struct bgp_conn *conn,
   if (a0 && ! bgp_set_next_hop(p, a0))
     a0 = NULL;
 
-  a = NULL;
   last_id = 0;
   src = p->p.main_source;
 
@@ -1187,7 +1186,7 @@ bgp_do_rx_update(struct bgp_conn *conn,
   byte *start, *x;
   int len, len0;
   unsigned af, sub;
-  rta *a0, *a;
+  rta *a0, *a = NULL;
   ip_addr prefix;
   int pxlen, err = 0;
   u32 path_id = 0;
@@ -1234,7 +1233,6 @@ bgp_do_rx_update(struct bgp_conn *conn,
       if (a0 && ! bgp_set_next_hop(p, a0))
 	a0 = NULL;
 
-      a = NULL;
       last_id = 0;
       src = p->p.main_source;