[quagga-dev 8130] Re: [PATCH 10/10] BGP: fix use of free memory by update_rsclient

Balaji G balajig81 at gmail.com
Sun Aug 8 12:18:39 BST 2010


Applied, Thanks,

Cheers,
  - Balaji

On Thu, Aug 5, 2010 at 10:56 PM, Stephen Hemminger <shemminger at vyatta.com>wrote:

> BGP sometimes crashes when removing route server client because
> of use after free.
>
> The code to update rsclient created a local static copy of bgp attributes
> but neglected to handle the extra information pointer. The extra
> information
> was getting freed by bgp_attr_unintern() and reused later when the copy
> was passed to bgp_attr_intern().
>
> The fix is to use the attr_dup function to create a copy of
> the extra information, then clean it up.
>
> ---
>  bgpd/bgp_route.c |    3 ++-
>  1 files changed, 2 insertions(+), 1 deletions(-)
>
> diff --git a/bgpd/bgp_route.c b/bgpd/bgp_route.c
> index 817c192..8e2e6d8 100644
> --- a/bgpd/bgp_route.c
> +++ b/bgpd/bgp_route.c
> @@ -3247,7 +3247,7 @@ bgp_static_update_rsclient (struct peer *rsclient,
> struct prefix *p,
>   else
>     attr_new = bgp_attr_intern (&attr);
>
> -  new_attr = *attr_new;
> +  bgp_attr_dup(&new_attr, attr_new);
>
>   SET_FLAG (bgp->peer_self->rmap_type, PEER_RMAP_TYPE_NETWORK);
>
> @@ -3276,6 +3276,7 @@ bgp_static_update_rsclient (struct peer *rsclient,
> struct prefix *p,
>
>   bgp_attr_unintern (attr_new);
>   attr_new = bgp_attr_intern (&new_attr);
> +  bgp_attr_extra_free (&new_attr);
>
>   for (ri = rn->info; ri; ri = ri->next)
>     if (ri->peer == bgp->peer_self && ri->type == ZEBRA_ROUTE_BGP
> --
> 1.7.0.4
>
>
>
> _______________________________________________
> Quagga-dev mailing list
> Quagga-dev at lists.quagga.net
> http://lists.quagga.net/mailman/listinfo/quagga-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.quagga.net/pipermail/quagga-dev/attachments/20100808/2f42542d/attachment-0001.html>


More information about the Quagga-dev mailing list