From 81136c2cec27df690800fee0804671b9e77a6572 Mon Sep 17 00:00:00 2001 From: Maria Matejka Date: Wed, 7 May 2025 15:02:24 +0200 Subject: [PATCH] BGP: Fix crash on too long export When BGP route is short enough to be accepted but too long after local changes, it is converted to withdraw. In these cases though, there was a dangling pointer left from the prefix structure to the attribute bucket. That pointer is now pointing at the right place after the bucket gets converted to withdraw. Thanks to ix.br for catching and reporting this issue. --- proto/bgp/attrs.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/proto/bgp/attrs.c b/proto/bgp/attrs.c index 68cd7df32..cc11674f6 100644 --- a/proto/bgp/attrs.c +++ b/proto/bgp/attrs.c @@ -1802,8 +1802,10 @@ bgp_withdraw_bucket(struct bgp_ptx_private *c, struct bgp_bucket *b) struct bgp_prefix *px = HEAD(b->prefixes); log(L_ERR "%s: - withdrawing %N", p->p.name, px->ni->addr); + ASSERT_DIE(px->cur == b); rem_node(&px->buck_node); add_tail(&wb->prefixes, &px->buck_node); + px->cur = wb; } } -- 2.47.2