From: Maria Matejka <mq@ucw.cz>
Date: Wed, 7 May 2025 13:02:24 +0000 (+0200)
Subject: BGP: Fix crash on too long export
X-Git-Tag: v3.1.1~20
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eb5385c9967d236224fe4cf6bc4a6963a00911be;p=thirdparty%2Fbird.git

BGP: Fix crash on too long export

When BGP route is short enough to be accepted but too long after local
changes, it is converted to withdraw. In these cases though, there was
a dangling pointer left from the prefix structure to the attribute
bucket.

That pointer is now pointing at the right place after the bucket gets
converted to withdraw.

Thanks to ix.br for catching and reporting this issue.
---

diff --git a/proto/bgp/attrs.c b/proto/bgp/attrs.c
index 69390dd53..690ffd2a0 100644
--- a/proto/bgp/attrs.c
+++ b/proto/bgp/attrs.c
@@ -1821,8 +1821,10 @@ bgp_withdraw_bucket(struct bgp_ptx_private *c, struct bgp_bucket *b)
     struct bgp_prefix *px = HEAD(b->prefixes);
 
     log(L_ERR "%s: - withdrawing %N", p->p.name, px->ni->addr);
+    ASSERT_DIE(px->cur == b);
     rem_node(&px->buck_node);
     add_tail(&wb->prefixes, &px->buck_node);
+    px->cur = wb;
   }
 }