diff options
| author | Paul Jakma <paul.jakma@sun.com> | 2008-07-02 02:12:07 +0000 |
|---|---|---|
| committer | Paul Jakma <paul.jakma@sun.com> | 2008-07-02 02:12:07 +0000 |
| commit | b608d5b5ac469d47072aedd573e5d3475f4d9cf4 (patch) | |
| tree | a6e130a1dee11accfbffffd154c592d49e4312dc /bgpd | |
| parent | 0b3f3d47b21ddf175bfdd549ba33fbcd34801244 (diff) | |
[bgpd] Fix double-free crash in bgp_table_finish, seen with rs-client
2008-07-02 Stephen Hemminger <stephen.hemminger@vyatta.com>
* bgp_table.{c,h}: (bgp_table_finish) Take a double pointer and
scrub pointer in caller, so fixing double-free crashes seen
with route-server-client configuration.
* *.c: Adjust all callers of bgp_table_finish
2008-07-02 Paul Jakma <paul.jakma@sun.com>
* bgp_table.{c,h}: (bgp_node_delete, bgp_table_free) shouldn't be
exported.
Diffstat (limited to 'bgpd')
| -rw-r--r-- | bgpd/ChangeLog | 12 | ||||
| -rw-r--r-- | bgpd/bgp_table.c | 13 | ||||
| -rw-r--r-- | bgpd/bgp_table.h | 3 | ||||
| -rw-r--r-- | bgpd/bgp_vty.c | 2 | ||||
| -rw-r--r-- | bgpd/bgpd.c | 4 |
5 files changed, 23 insertions, 11 deletions
diff --git a/bgpd/ChangeLog b/bgpd/ChangeLog index 2da28213..f486e648 100644 --- a/bgpd/ChangeLog +++ b/bgpd/ChangeLog @@ -1,3 +1,15 @@ +2008-07-02 Stephen Hemminger <stephen.hemminger@vyatta.com> + + * bgp_table.{c,h}: (bgp_table_finish) Take a double pointer and + scrub pointer in caller, so fixing double-free crashes seen + with route-server-client configuration. + * *.c: Adjust all callers of bgp_table_finish + +2008-07-02 Paul Jakma <paul.jakma@sun.com> + + * bgp_table.{c,h}: (bgp_node_delete, bgp_table_free) shouldn't be + exported. + 2008-06-07 Paul Jakma <paul@jakma.org> * bgp_attr.{c,h}: (bgp_mp_{un,}reach_parse) export, for unit tests. diff --git a/bgpd/bgp_table.c b/bgpd/bgp_table.c index 810dab54..be598328 100644 --- a/bgpd/bgp_table.c +++ b/bgpd/bgp_table.c @@ -28,8 +28,8 @@ Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA #include "bgpd/bgpd.h" #include "bgpd/bgp_table.h" -void bgp_node_delete (struct bgp_node *); -void bgp_table_free (struct bgp_table *); +static void bgp_node_delete (struct bgp_node *); +static void bgp_table_free (struct bgp_table *); struct bgp_table * bgp_table_init (afi_t afi, safi_t safi) @@ -47,9 +47,10 @@ bgp_table_init (afi_t afi, safi_t safi) } void -bgp_table_finish (struct bgp_table *rt) +bgp_table_finish (struct bgp_table **rt) { - bgp_table_free (rt); + bgp_table_free (*rt); + *rt = NULL; } static struct bgp_node * @@ -84,7 +85,7 @@ bgp_node_free (struct bgp_node *node) } /* Free route table. */ -void +static void bgp_table_free (struct bgp_table *rt) { struct bgp_node *tmp_node; @@ -360,7 +361,7 @@ bgp_node_get (struct bgp_table *table, struct prefix *p) } /* Delete node from the routing table. */ -void +static void bgp_node_delete (struct bgp_node *node) { struct bgp_node *child; diff --git a/bgpd/bgp_table.h b/bgpd/bgp_table.h index 62421e71..0387c247 100644 --- a/bgpd/bgp_table.h +++ b/bgpd/bgp_table.h @@ -68,9 +68,8 @@ struct bgp_node }; extern struct bgp_table *bgp_table_init (afi_t, safi_t); -extern void bgp_table_finish (struct bgp_table *); +extern void bgp_table_finish (struct bgp_table **); extern void bgp_unlock_node (struct bgp_node *node); -extern void bgp_node_delete (struct bgp_node *node); extern struct bgp_node *bgp_table_top (struct bgp_table *); extern struct bgp_node *bgp_route_next (struct bgp_node *); extern struct bgp_node *bgp_route_next_until (struct bgp_node *, struct bgp_node *); diff --git a/bgpd/bgp_vty.c b/bgpd/bgp_vty.c index 927e99a1..f1749a78 100644 --- a/bgpd/bgp_vty.c +++ b/bgpd/bgp_vty.c @@ -2153,7 +2153,7 @@ peer_rsclient_unset_vty (struct vty *vty, const char *peer_str, listnode_delete (bgp->rsclient, peer); } - bgp_table_finish (peer->rib[bgp_node_afi(vty)][bgp_node_safi(vty)]); + bgp_table_finish (&peer->rib[bgp_node_afi(vty)][bgp_node_safi(vty)]); return CMD_SUCCESS; } diff --git a/bgpd/bgpd.c b/bgpd/bgpd.c index 374c4c52..4dc6621d 100644 --- a/bgpd/bgpd.c +++ b/bgpd/bgpd.c @@ -1228,7 +1228,7 @@ peer_delete (struct peer *peer) for (afi = AFI_IP; afi < AFI_MAX; afi++) for (safi = SAFI_UNICAST; safi < SAFI_MAX; safi++) if (peer->rib[afi][safi] && ! peer->af_group[afi][safi]) - bgp_table_finish (peer->rib[afi][safi]); + bgp_table_finish (&peer->rib[afi][safi]); /* Buffers. */ if (peer->ibuf) @@ -1798,7 +1798,7 @@ peer_group_bind (struct bgp *bgp, union sockunion *su, list_delete_node (bgp->rsclient, pn); } - bgp_table_finish (peer->rib[afi][safi]); + bgp_table_finish (&peer->rib[afi][safi]); /* Import policy. */ if (peer->filter[afi][safi].map[RMAP_IMPORT].name) |