From 91d04583891f7a6f4aee612cf3f143cc84a73991 Mon Sep 17 00:00:00 2001 From: "Ondrej Zajicek (work)" Date: Tue, 1 Jun 2021 01:59:20 +0200 Subject: [PATCH] BGP: Ensure that freed neighbor entry is not accessed Routes from downed protocols stay in rtable (until next rtable prune cycle ends) and may be even exported to another protocol. In BGP case, source BGP protocol is examined, although dynamic parts (including neighbor entries) are already freed. That may lead to crash under some race conditions. Ensure that freed neighbor entry is not accessed to avoid this issue. --- proto/bgp/bgp.c | 4 ++++ proto/bgp/packets.c | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/proto/bgp/bgp.c b/proto/bgp/bgp.c index 1adb930d..e4d754b1 100644 --- a/proto/bgp/bgp.c +++ b/proto/bgp/bgp.c @@ -337,6 +337,8 @@ err2: err1: p->p.disabled = 1; bgp_store_error(p, NULL, BE_MISC, err_val); + + p->neigh = NULL; proto_notify_state(&p->p, PS_DOWN); return; @@ -473,6 +475,8 @@ bgp_down(struct bgp_proto *p) bgp_close(p); } + p->neigh = NULL; + BGP_TRACE(D_EVENTS, "Down"); proto_notify_state(&p->p, PS_DOWN); } diff --git a/proto/bgp/packets.c b/proto/bgp/packets.c index b16ee242..99b5d5b4 100644 --- a/proto/bgp/packets.c +++ b/proto/bgp/packets.c @@ -1051,7 +1051,8 @@ bgp_use_next_hop(struct bgp_export_state *s, eattr *a) return 1; /* Keep it when forwarded between single-hop BGPs on the same iface */ - struct iface *ifa = (s->src && s->src->neigh) ? s->src->neigh->iface : NULL; + struct iface *ifa = (s->src && s->src->neigh && (s->src->p.proto_state != PS_DOWN)) ? + s->src->neigh->iface : NULL; return p->neigh && (p->neigh->iface == ifa); }