From: Ondrej Zajicek (work) <santiago@crfreenet.org>
Date: Mon, 31 May 2021 23:59:20 +0000 (+0200)
Subject: BGP: Ensure that freed neighbor entry is not accessed
X-Git-Tag: v2.0.9~54
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=91d04583891f7a6f4aee612cf3f143cc84a73991;p=thirdparty%2Fbird.git

BGP: Ensure that freed neighbor entry is not accessed

Routes from downed protocols stay in rtable (until next rtable prune
cycle ends) and may be even exported to another protocol. In BGP case,
source BGP protocol is examined, although dynamic parts (including
neighbor entries) are already freed. That may lead to crash under some
race conditions. Ensure that freed neighbor entry is not accessed to
avoid this issue.
---

diff --git a/proto/bgp/bgp.c b/proto/bgp/bgp.c
index 1adb930de..e4d754b1a 100644
--- a/proto/bgp/bgp.c
+++ b/proto/bgp/bgp.c
@@ -337,6 +337,8 @@ err2:
 err1:
   p->p.disabled = 1;
   bgp_store_error(p, NULL, BE_MISC, err_val);
+
+  p->neigh = NULL;
   proto_notify_state(&p->p, PS_DOWN);
 
   return;
@@ -473,6 +475,8 @@ bgp_down(struct bgp_proto *p)
     bgp_close(p);
   }
 
+  p->neigh = NULL;
+
   BGP_TRACE(D_EVENTS, "Down");
   proto_notify_state(&p->p, PS_DOWN);
 }
diff --git a/proto/bgp/packets.c b/proto/bgp/packets.c
index b16ee2425..99b5d5b46 100644
--- a/proto/bgp/packets.c
+++ b/proto/bgp/packets.c
@@ -1051,7 +1051,8 @@ bgp_use_next_hop(struct bgp_export_state *s, eattr *a)
     return 1;
 
   /* Keep it when forwarded between single-hop BGPs on the same iface */
-  struct iface *ifa = (s->src && s->src->neigh) ? s->src->neigh->iface : NULL;
+  struct iface *ifa = (s->src && s->src->neigh && (s->src->p.proto_state != PS_DOWN)) ?
+    s->src->neigh->iface : NULL;
   return p->neigh && (p->neigh->iface == ifa);
 }