BGP: Ensure that freed neighbor entry is not accessed

Routes from downed protocols stay in rtable (until next rtable prune
cycle ends) and may be even exported to another protocol. In BGP case,
source BGP protocol is examined, although dynamic parts (including
neighbor entries) are already freed. That may lead to crash under some
race conditions. Ensure that freed neighbor entry is not accessed to
avoid this issue.
This commit is contained in:
Ondrej Zajicek (work) 2021-06-01 01:59:20 +02:00
parent ebd5751cde
commit 91d0458389
2 changed files with 6 additions and 1 deletions

View file

@ -337,6 +337,8 @@ err2:
err1: err1:
p->p.disabled = 1; p->p.disabled = 1;
bgp_store_error(p, NULL, BE_MISC, err_val); bgp_store_error(p, NULL, BE_MISC, err_val);
p->neigh = NULL;
proto_notify_state(&p->p, PS_DOWN); proto_notify_state(&p->p, PS_DOWN);
return; return;
@ -473,6 +475,8 @@ bgp_down(struct bgp_proto *p)
bgp_close(p); bgp_close(p);
} }
p->neigh = NULL;
BGP_TRACE(D_EVENTS, "Down"); BGP_TRACE(D_EVENTS, "Down");
proto_notify_state(&p->p, PS_DOWN); proto_notify_state(&p->p, PS_DOWN);
} }

View file

@ -1051,7 +1051,8 @@ bgp_use_next_hop(struct bgp_export_state *s, eattr *a)
return 1; return 1;
/* Keep it when forwarded between single-hop BGPs on the same iface */ /* Keep it when forwarded between single-hop BGPs on the same iface */
struct iface *ifa = (s->src && s->src->neigh) ? s->src->neigh->iface : NULL; struct iface *ifa = (s->src && s->src->neigh && (s->src->p.proto_state != PS_DOWN)) ?
s->src->neigh->iface : NULL;
return p->neigh && (p->neigh->iface == ifa); return p->neigh && (p->neigh->iface == ifa);
} }