BGP: Ensure that freed neighbor entry is not accessed

Routes from downed protocols stay in rtable (until next rtable prune
cycle ends) and may be even exported to another protocol. In BGP case,
source BGP protocol is examined, although dynamic parts (including
neighbor entries) are already freed. That may lead to crash under some
race conditions. Ensure that freed neighbor entry is not accessed to
avoid this issue.

diff --git a/proto/bgp/bgp.c b/proto/bgp/bgp.c
index 1adb930de3be9bb8f7e165f2a99299700a6278f6..e4d754b1af5e7228f2275da3bf19b5ec6e442473 100644 (file)
--- a/proto/bgp/bgp.c
+++ b/proto/bgp/bgp.c
@@ -337,6 +337,8 @@ err2:
 err1:
   p->p.disabled = 1;
   bgp_store_error(p, NULL, BE_MISC, err_val);
+
+  p->neigh = NULL;
   proto_notify_state(&p->p, PS_DOWN);
 
   return;
@@ -473,6 +475,8 @@ bgp_down(struct bgp_proto *p)
     bgp_close(p);
   }
 
+  p->neigh = NULL;
+
   BGP_TRACE(D_EVENTS, "Down");
   proto_notify_state(&p->p, PS_DOWN);
 }

diff --git a/proto/bgp/packets.c b/proto/bgp/packets.c
index b16ee2425f0bcd46d2d97386938b7d104d4933e4..99b5d5b465ff5b52ac9b54056574925744e05bfa 100644 (file)
--- a/proto/bgp/packets.c
+++ b/proto/bgp/packets.c
@@ -1051,7 +1051,8 @@ bgp_use_next_hop(struct bgp_export_state *s, eattr *a)
     return 1;
 
   /* Keep it when forwarded between single-hop BGPs on the same iface */
-  struct iface *ifa = (s->src && s->src->neigh) ? s->src->neigh->iface : NULL;
+  struct iface *ifa = (s->src && s->src->neigh && (s->src->p.proto_state != PS_DOWN)) ?
+    s->src->neigh->iface : NULL;
   return p->neigh && (p->neigh->iface == ifa);
 }