BGP: Ensure that freed neighbor entry is not accessed (91d04583) · Commits · 戴 / Bird

Routes from downed protocols stay in rtable (until next rtable prune cycle ends) and may be even exported to another protocol. In BGP case, source BGP protocol is examined, although dynamic parts (including neighbor entries) are already freed. That may lead to crash under some race conditions. Ensure that freed neighbor entry is not accessed to avoid this issue.

proto/bgp/bgp.c

+4 −0

Original line number	Diff line number	Diff line
		@@ -337,6 +337,8 @@ err2:
		err1:
		p->p.disabled = 1;
		bgp_store_error(p, NULL, BE_MISC, err_val);

		p->neigh = NULL;
		proto_notify_state(&p->p, PS_DOWN);

		return;
		@@ -473,6 +475,8 @@ bgp_down(struct bgp_proto *p)
		bgp_close(p);
		}

		p->neigh = NULL;

		BGP_TRACE(D_EVENTS, "Down");
		proto_notify_state(&p->p, PS_DOWN);
		}

proto/bgp/packets.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -1051,7 +1051,8 @@ bgp_use_next_hop(struct bgp_export_state s, eattr a)
		return 1;

		/* Keep it when forwarded between single-hop BGPs on the same iface */
		struct iface *ifa = (s->src && s->src->neigh) ? s->src->neigh->iface : NULL;
		struct iface *ifa = (s->src && s->src->neigh && (s->src->p.proto_state != PS_DOWN)) ?
		s->src->neigh->iface : NULL;
		return p->neigh && (p->neigh->iface == ifa);
		}

Admin message