From eb5385c9967d236224fe4cf6bc4a6963a00911be Mon Sep 17 00:00:00 2001 From: Maria Matejka Date: Wed, 7 May 2025 15:02:24 +0200 Subject: [PATCH] BGP: Fix crash on too long export When BGP route is short enough to be accepted but too long after local changes, it is converted to withdraw. In these cases though, there was a dangling pointer left from the prefix structure to the attribute bucket. That pointer is now pointing at the right place after the bucket gets converted to withdraw. Thanks to ix.br for catching and reporting this issue. --- proto/bgp/attrs.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/proto/bgp/attrs.c b/proto/bgp/attrs.c index 69390dd53..690ffd2a0 100644 --- a/proto/bgp/attrs.c +++ b/proto/bgp/attrs.c @@ -1821,8 +1821,10 @@ bgp_withdraw_bucket(struct bgp_ptx_private *c, struct bgp_bucket *b) struct bgp_prefix *px = HEAD(b->prefixes); log(L_ERR "%s: - withdrawing %N", p->p.name, px->ni->addr); + ASSERT_DIE(px->cur == b); rem_node(&px->buck_node); add_tail(&wb->prefixes, &px->buck_node); + px->cur = wb; } } -- 2.47.2