BGP: Fix crash on too long export

When BGP route is short enough to be accepted but too long after local
changes, it is converted to withdraw. In these cases though, there was
a dangling pointer left from the prefix structure to the attribute
bucket.

That pointer is now pointing at the right place after the bucket gets
converted to withdraw.

Thanks to ix.br for catching and reporting this issue.

diff --git a/proto/bgp/attrs.c b/proto/bgp/attrs.c
index 68cd7df323b40463dea41655678a5afbca7a7108..cc11674f6de52eb630fa5b26c71c788504958ad6 100644 (file)
--- a/proto/bgp/attrs.c
+++ b/proto/bgp/attrs.c
@@ -1802,8 +1802,10 @@ bgp_withdraw_bucket(struct bgp_ptx_private *c, struct bgp_bucket *b)
     struct bgp_prefix *px = HEAD(b->prefixes);
 
     log(L_ERR "%s: - withdrawing %N", p->p.name, px->ni->addr);
+    ASSERT_DIE(px->cur == b);
     rem_node(&px->buck_node);
     add_tail(&wb->prefixes, &px->buck_node);
+    px->cur = wb;
   }
 }