diff options
| author | Donatas Abraitis <donatas.abraitis@gmail.com> | 2020-10-17 19:24:11 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-10-17 19:24:11 +0200 |
| commit | f41688b42365bbbd1d33729ac70ae7dba33288c4 (patch) | |
| tree | dec2f5918048e5c9619cd60524e175528aa302ef | |
| parent | Merge pull request #7306 from donaldsharp/bgp_dest_print (diff) | |
| parent | zebra: Fix use after free in debug path (diff) | |
| download | frr-f41688b42365bbbd1d33729ac70ae7dba33288c4.tar.xz frr-f41688b42365bbbd1d33729ac70ae7dba33288c4.zip | |
Merge pull request #7330 from donaldsharp/zebra_use_after_free
zebra: Fix use after free in debug path
| -rw-r--r-- | zebra/zebra_rib.c | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/zebra/zebra_rib.c b/zebra/zebra_rib.c index 0b1450c8f..8b375e44b 100644 --- a/zebra/zebra_rib.c +++ b/zebra/zebra_rib.c @@ -2268,9 +2268,18 @@ static void process_subq_route(struct listnode *lnode, uint8_t qindex) rib_process(rnode); if (IS_ZEBRA_DEBUG_RIB_DETAILED) { - struct route_entry *re = re_list_first(&dest->routes); + struct route_entry *re = NULL; char buf[SRCDEST2STR_BUFFER]; + /* + * rib_process may have freed the dest + * as part of the garbage collection. Let's + * prevent stupidity from happening. + */ + dest = rib_dest_from_rnode(rnode); + if (dest) + re = re_list_first(&dest->routes); + srcdest_rnode2str(rnode, buf, sizeof(buf)); zlog_debug("%s(%u:%u):%s: rn %p dequeued from sub-queue %u", zvrf_name(zvrf), zvrf_id(zvrf), re ? re->table : 0, buf, |