From ed3ebfa36b45fe487015e1918e848f0ff4500bff Mon Sep 17 00:00:00 2001
From: Paul Jakma <paul.jakma@sun.com>
Date: Sun, 15 Oct 2006 23:50:16 +0000
Subject: [bgpd] Coverity CID #64: Needless NULL check, CID #64: Deref of
 potentially NULL pointer.

2006-10-15 Paul Jakma <paul.jakma@sun.com>

	* bgp_packet.c: (bgp_update_packet) adv->rn can not be NULL,
	  check is bogus - changed to assert(), CID#64.
	  binfo is checked for NULL, but then dereferenced
	  unconditionally, fix, CID #63.
	  (bgp_withdraw_packet) Assert adv->rn is valid, as with
	  bgp_update_packet().
---
 bgpd/ChangeLog    |  6 ++++++
 bgpd/bgp_packet.c | 15 ++++++++++-----
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/bgpd/ChangeLog b/bgpd/ChangeLog
index 56107329..83f9d493 100644
--- a/bgpd/ChangeLog
+++ b/bgpd/ChangeLog
@@ -2,6 +2,12 @@
 
 	* bgp_route.c: (bgp_table_stats_walker) NULL deref if table is
 	  empty, bgp_table_top may return NULL, Coverity CID#73.
+	* bgp_packet.c: (bgp_update_packet) adv->rn can not be NULL,
+	  check is bogus - changed to assert(), CID#64.
+	  binfo is checked for NULL, but then dereferenced
+	  unconditionally, fix, CID #63.
+	  (bgp_withdraw_packet) Assert adv->rn is valid, as with
+	  bgp_update_packet().
 
 2006-10-14 Paul Jakma <paul.jakma@sun.com>
 
diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
index cf6d00f1..9859e50b 100644
--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
@@ -158,14 +158,14 @@ bgp_update_packet (struct peer *peer, afi_t afi, safi_t safi)
 
   while (adv)
     {
-      if (adv->rn)
-        rn = adv->rn;
+      assert (adv->rn);
+      rn = adv->rn;
       adj = adv->adj;
       if (adv->binfo)
         binfo = adv->binfo;
 
       /* When remaining space can't include NLRI and it's length.  */
-      if (rn && STREAM_REMAIN (s) <= BGP_NLRI_LENGTH + PSIZE (rn->p.prefixlen))
+      if (STREAM_REMAIN (s) <= BGP_NLRI_LENGTH + PSIZE (rn->p.prefixlen))
 	break;
 
       /* If packet is empty, set attribute. */
@@ -173,11 +173,15 @@ bgp_update_packet (struct peer *peer, afi_t afi, safi_t safi)
 	{
 	  struct prefix_rd *prd = NULL;
 	  u_char *tag = NULL;
+	  struct peer *from = NULL;
 	  
 	  if (rn->prn)
 	    prd = (struct prefix_rd *) &rn->prn->p;
           if (binfo)
-            tag = binfo->tag;
+            {
+              tag = binfo->tag;
+              from = binfo->peer;
+            }
           
 	  bgp_packet_set_marker (s, BGP_MSG_UPDATE);
 	  stream_putw (s, 0);		
@@ -186,7 +190,7 @@ bgp_update_packet (struct peer *peer, afi_t afi, safi_t safi)
 	  total_attr_len = bgp_packet_attribute (NULL, peer, s, 
 	                                         adv->baa->attr,
 	                                         &rn->p, afi, safi, 
-	                                         binfo->peer, prd, tag);
+	                                         from, prd, tag);
 	  stream_putw_at (s, pos, total_attr_len);
 	}
 
@@ -288,6 +292,7 @@ bgp_withdraw_packet (struct peer *peer, afi_t afi, safi_t safi)
 
   while ((adv = FIFO_HEAD (&peer->sync[afi][safi]->withdraw)) != NULL)
     {
+      assert (adv->rn);
       adj = adv->adj;
       rn = adv->rn;
 
-- 
cgit v1.2.1