diff options
| author | Renato Westphal <renato@opensourcerouting.org> | 2019-02-20 19:37:29 +0100 |
|---|---|---|
| committer | Renato Westphal <renato@opensourcerouting.org> | 2019-02-21 03:04:12 +0100 |
| commit | 6291837764c6bd2facbff5fbe38f33fa8b1b1d34 (patch) | |
| tree | cabb496092f1ddac9b91184422380f33c9d577f6 /bgpd/bgp_route.c | |
| parent | isisd: fix crash when entering "no ip[v6] router isis" twice (diff) | |
| download | frr-6291837764c6bd2facbff5fbe38f33fa8b1b1d34.tar.xz frr-6291837764c6bd2facbff5fbe38f33fa8b1b1d34.zip | |
bgpd: fix null pointer dereference bug
If path->net is NULL in the bgp_path_info_free() function, then
bgpd would crash in bgp_addpath_free_info_data() with the following
backtrace:
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007ff7b267a42a in __GI_abort () at abort.c:89
#2 0x00007ff7b39c1ca0 in core_handler (signo=11, siginfo=0x7ffff66414f0, context=<optimized out>) at lib/sigevent.c:249
#3 <signal handler called>
#4 idalloc_free_to_pool (pool_ptr=pool_ptr@entry=0x0, id=3) at lib/id_alloc.c:368
#5 0x0000560096246688 in bgp_addpath_free_info_data (d=d@entry=0x560098665468, nd=0x0) at bgpd/bgp_addpath.c:100
#6 0x00005600961bb522 in bgp_path_info_free (path=0x560098665400) at bgpd/bgp_route.c:252
#7 bgp_path_info_unlock (path=0x560098665400) at bgpd/bgp_route.c:276
#8 0x00005600961bb719 in bgp_path_info_reap (rn=rn@entry=0x5600986b2110, pi=pi@entry=0x560098665400) at bgpd/bgp_route.c:320
#9 0x00005600961bf4db in bgp_process_main_one (safi=SAFI_MPLS_VPN, afi=AFI_IP, rn=0x5600986b2110, bgp=0x560098587320) at bgpd/bgp_route.c:2476
#10 bgp_process_wq (wq=<optimized out>, data=0x56009869b8f0) at bgpd/bgp_route.c:2503
#11 0x00007ff7b39d5fcc in work_queue_run (thread=0x7ffff6641e10) at lib/workqueue.c:294
#12 0x00007ff7b39ce3b1 in thread_call (thread=thread@entry=0x7ffff6641e10) at lib/thread.c:1606
#13 0x00007ff7b39a3538 in frr_run (master=0x5600980795b0) at lib/libfrr.c:1011
#14 0x000056009618a5a3 in main (argc=3, argv=0x7ffff6642078) at bgpd/bgp_main.c:481
Add a null-check protection to fix this problem.
Signed-off-by: Renato Westphal <renato@opensourcerouting.org>
Diffstat (limited to '')
| -rw-r--r-- | bgpd/bgp_route.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/bgpd/bgp_route.c b/bgpd/bgp_route.c index 8e72b742a..230df715d 100644 --- a/bgpd/bgp_route.c +++ b/bgpd/bgp_route.c @@ -254,8 +254,9 @@ static void bgp_path_info_free(struct bgp_path_info *path) bgp_unlink_nexthop(path); bgp_path_info_extra_free(&path->extra); bgp_path_info_mpath_free(&path->mpath); - bgp_addpath_free_info_data(&path->tx_addpath, - path->net ? &path->net->tx_addpath : NULL); + if (path->net) + bgp_addpath_free_info_data(&path->tx_addpath, + &path->net->tx_addpath); peer_unlock(path->peer); /* bgp_path_info peer reference */ |