Fixes a bug in (mainly) IPv6 BGP.

Stack variable may be used unitialized and that would lead to spurious
rta_free(), which may cause crash. The bug was introduced in 1.4.1 from
merging add-path branch.

Thanks to Peter Andreev for reporting it and Alexander V. Chernikov for
resolving it.

diff --git a/proto/bgp/packets.c b/proto/bgp/packets.c
index 808afaa9c174bc23dbd0320b2fac3fb524584f24..b6239025d0dcdc7a1da450adc329c97840839f66 100644 (file)
--- a/proto/bgp/packets.c
+++ b/proto/bgp/packets.c
@@ -1082,7 +1082,7 @@ bgp_do_rx_update(struct bgp_conn *conn,
 {
   struct bgp_proto *p = conn->bgp;
   struct rte_src *src = p->p.main_source;
-  rta *a0, *a;
+  rta *a0, *a = NULL;
   ip_addr prefix;
   int pxlen, err = 0;
   u32 path_id = 0;
@@ -1115,7 +1115,6 @@ bgp_do_rx_update(struct bgp_conn *conn,
   if (a0 && ! bgp_set_next_hop(p, a0))
     a0 = NULL;
 
-  a = NULL;
   last_id = 0;
   src = p->p.main_source;
 
@@ -1187,7 +1186,7 @@ bgp_do_rx_update(struct bgp_conn *conn,
   byte *start, *x;
   int len, len0;
   unsigned af, sub;
-  rta *a0, *a;
+  rta *a0, *a = NULL;
   ip_addr prefix;
   int pxlen, err = 0;
   u32 path_id = 0;
@@ -1234,7 +1233,6 @@ bgp_do_rx_update(struct bgp_conn *conn,
       if (a0 && ! bgp_set_next_hop(p, a0))
        a0 = NULL;
 
-      a = NULL;
       last_id = 0;
       src = p->p.main_source;