From 78d92e1721538ec41feb2b1c34712675b830087b Mon Sep 17 00:00:00 2001 From: Josh Bailey Date: Wed, 20 Jul 2011 20:51:07 -0700 Subject: bgpd: Fix a crash caused by mistakenly dequeueing the bestpath on the multipath list. This causes the multipath list to get truncated but the multipath count still reflects what it was before truncation. When we install the route to zebra we fail to fill the nexthop array with the number of nexthop pointers indicated by the multipath count and this leads to a NULL pointer crash in stream_put_in_addr(). Changes: * bgpd/bgp_mpath.c * bgp_info_mpath_update(): If new_mpath is the bestpath we should just move to the next mp_list node. Move dequeue of new_mpath and the code that updates next_mpath to inside the check that new_mpath is not the bestpath. --- bgpd/bgp_mpath.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'bgpd') diff --git a/bgpd/bgp_mpath.c b/bgpd/bgp_mpath.c index 44823c4b..1709c244 100644 --- a/bgpd/bgp_mpath.c +++ b/bgpd/bgp_mpath.c @@ -521,12 +521,13 @@ bgp_info_mpath_update (struct bgp_node *rn, struct bgp_info *new_best, */ new_mpath = listgetdata (mp_node); list_delete_node (mp_list, mp_node); - if (new_mpath == next_mpath) - next_mpath = bgp_info_mpath_next (new_mpath); - bgp_info_mpath_dequeue (new_mpath); if ((mpath_count < maxpaths) && (new_mpath != new_best) && bgp_info_nexthop_cmp (prev_mpath, new_mpath)) { + if (new_mpath == next_mpath) + next_mpath = bgp_info_mpath_next (new_mpath); + bgp_info_mpath_dequeue (new_mpath); + bgp_info_mpath_enqueue (prev_mpath, new_mpath); prev_mpath = new_mpath; mpath_changed = 1; -- cgit v1.2.1