From b608d5b5ac469d47072aedd573e5d3475f4d9cf4 Mon Sep 17 00:00:00 2001 From: Paul Jakma Date: Wed, 2 Jul 2008 02:12:07 +0000 Subject: [bgpd] Fix double-free crash in bgp_table_finish, seen with rs-client 2008-07-02 Stephen Hemminger * bgp_table.{c,h}: (bgp_table_finish) Take a double pointer and scrub pointer in caller, so fixing double-free crashes seen with route-server-client configuration. * *.c: Adjust all callers of bgp_table_finish 2008-07-02 Paul Jakma * bgp_table.{c,h}: (bgp_node_delete, bgp_table_free) shouldn't be exported. --- bgpd/ChangeLog | 12 ++++++++++++ bgpd/bgp_table.c | 13 +++++++------ bgpd/bgp_table.h | 3 +-- bgpd/bgp_vty.c | 2 +- bgpd/bgpd.c | 4 ++-- 5 files changed, 23 insertions(+), 11 deletions(-) diff --git a/bgpd/ChangeLog b/bgpd/ChangeLog index 2da28213..f486e648 100644 --- a/bgpd/ChangeLog +++ b/bgpd/ChangeLog @@ -1,3 +1,15 @@ +2008-07-02 Stephen Hemminger + + * bgp_table.{c,h}: (bgp_table_finish) Take a double pointer and + scrub pointer in caller, so fixing double-free crashes seen + with route-server-client configuration. + * *.c: Adjust all callers of bgp_table_finish + +2008-07-02 Paul Jakma + + * bgp_table.{c,h}: (bgp_node_delete, bgp_table_free) shouldn't be + exported. + 2008-06-07 Paul Jakma * bgp_attr.{c,h}: (bgp_mp_{un,}reach_parse) export, for unit tests. diff --git a/bgpd/bgp_table.c b/bgpd/bgp_table.c index 810dab54..be598328 100644 --- a/bgpd/bgp_table.c +++ b/bgpd/bgp_table.c @@ -28,8 +28,8 @@ Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA #include "bgpd/bgpd.h" #include "bgpd/bgp_table.h" -void bgp_node_delete (struct bgp_node *); -void bgp_table_free (struct bgp_table *); +static void bgp_node_delete (struct bgp_node *); +static void bgp_table_free (struct bgp_table *); struct bgp_table * bgp_table_init (afi_t afi, safi_t safi) @@ -47,9 +47,10 @@ bgp_table_init (afi_t afi, safi_t safi) } void -bgp_table_finish (struct bgp_table *rt) +bgp_table_finish (struct bgp_table **rt) { - bgp_table_free (rt); + bgp_table_free (*rt); + *rt = NULL; } static struct bgp_node * @@ -84,7 +85,7 @@ bgp_node_free (struct bgp_node *node) } /* Free route table. */ -void +static void bgp_table_free (struct bgp_table *rt) { struct bgp_node *tmp_node; @@ -360,7 +361,7 @@ bgp_node_get (struct bgp_table *table, struct prefix *p) } /* Delete node from the routing table. */ -void +static void bgp_node_delete (struct bgp_node *node) { struct bgp_node *child; diff --git a/bgpd/bgp_table.h b/bgpd/bgp_table.h index 62421e71..0387c247 100644 --- a/bgpd/bgp_table.h +++ b/bgpd/bgp_table.h @@ -68,9 +68,8 @@ struct bgp_node }; extern struct bgp_table *bgp_table_init (afi_t, safi_t); -extern void bgp_table_finish (struct bgp_table *); +extern void bgp_table_finish (struct bgp_table **); extern void bgp_unlock_node (struct bgp_node *node); -extern void bgp_node_delete (struct bgp_node *node); extern struct bgp_node *bgp_table_top (struct bgp_table *); extern struct bgp_node *bgp_route_next (struct bgp_node *); extern struct bgp_node *bgp_route_next_until (struct bgp_node *, struct bgp_node *); diff --git a/bgpd/bgp_vty.c b/bgpd/bgp_vty.c index 927e99a1..f1749a78 100644 --- a/bgpd/bgp_vty.c +++ b/bgpd/bgp_vty.c @@ -2153,7 +2153,7 @@ peer_rsclient_unset_vty (struct vty *vty, const char *peer_str, listnode_delete (bgp->rsclient, peer); } - bgp_table_finish (peer->rib[bgp_node_afi(vty)][bgp_node_safi(vty)]); + bgp_table_finish (&peer->rib[bgp_node_afi(vty)][bgp_node_safi(vty)]); return CMD_SUCCESS; } diff --git a/bgpd/bgpd.c b/bgpd/bgpd.c index 374c4c52..4dc6621d 100644 --- a/bgpd/bgpd.c +++ b/bgpd/bgpd.c @@ -1228,7 +1228,7 @@ peer_delete (struct peer *peer) for (afi = AFI_IP; afi < AFI_MAX; afi++) for (safi = SAFI_UNICAST; safi < SAFI_MAX; safi++) if (peer->rib[afi][safi] && ! peer->af_group[afi][safi]) - bgp_table_finish (peer->rib[afi][safi]); + bgp_table_finish (&peer->rib[afi][safi]); /* Buffers. */ if (peer->ibuf) @@ -1798,7 +1798,7 @@ peer_group_bind (struct bgp *bgp, union sockunion *su, list_delete_node (bgp->rsclient, pn); } - bgp_table_finish (peer->rib[afi][safi]); + bgp_table_finish (&peer->rib[afi][safi]); /* Import policy. */ if (peer->filter[afi][safi].map[RMAP_IMPORT].name) -- cgit v1.2.1