From: Pavel Tvrdik <pawel.tvrdik@gmail.com>
Date: Thu, 8 Sep 2016 11:45:36 +0000 (+0200)
Subject: BFD: Fix invalid read from pollfd array
X-Git-Tag: v1.6.1~6
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0f5054f6850c7419933a6337a34263f565663ee3;p=thirdparty%2Fbird.git

BFD: Fix invalid read from pollfd array

It is possible that sockets_add() are called between sockets_prepare()
and sockets_fire() during poll loop in birdloop_main(), so we need to
use loop->poll_fd.used instead of loop->sock_num to find the last field.
---

diff --git a/proto/bfd/io.c b/proto/bfd/io.c
index 79ed9af71..8f4f50074 100644
--- a/proto/bfd/io.c
+++ b/proto/bfd/io.c
@@ -589,7 +589,7 @@ sockets_fire(struct birdloop *loop)
   times_update(loop);
 
   /* Last fd is internal wakeup fd */
-  if (pfd[loop->sock_num].revents & POLLIN)
+  if (pfd[poll_num].revents & POLLIN)
     wakeup_drain(loop);
 
   int i;