summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOndrej Zajicek <santiago@crfreenet.org>2014-04-14 12:50:03 +0200
committerOndrej Zajicek <santiago@crfreenet.org>2014-04-14 12:50:03 +0200
commit859cbd75e12966b09985b2a992da5ffb250938f8 (patch)
treed4743480bf390f3d871a9e34e4719cfb95cd6e7d
parent538fec7b1b7dd729eadf1c933e27f59080cd3576 (diff)
Fixes a bug in (mainly) IPv6 BGP.
Stack variable may be used unitialized and that would lead to spurious rta_free(), which may cause crash. The bug was introduced in 1.4.1 from merging add-path branch. Thanks to Peter Andreev for reporting it and Alexander V. Chernikov for resolving it.
-rw-r--r--proto/bgp/packets.c6
1 files changed, 2 insertions, 4 deletions
diff --git a/proto/bgp/packets.c b/proto/bgp/packets.c
index 808afaa9..b6239025 100644
--- a/proto/bgp/packets.c
+++ b/proto/bgp/packets.c
@@ -1082,7 +1082,7 @@ bgp_do_rx_update(struct bgp_conn *conn,
{
struct bgp_proto *p = conn->bgp;
struct rte_src *src = p->p.main_source;
- rta *a0, *a;
+ rta *a0, *a = NULL;
ip_addr prefix;
int pxlen, err = 0;
u32 path_id = 0;
@@ -1115,7 +1115,6 @@ bgp_do_rx_update(struct bgp_conn *conn,
if (a0 && ! bgp_set_next_hop(p, a0))
a0 = NULL;
- a = NULL;
last_id = 0;
src = p->p.main_source;
@@ -1187,7 +1186,7 @@ bgp_do_rx_update(struct bgp_conn *conn,
byte *start, *x;
int len, len0;
unsigned af, sub;
- rta *a0, *a;
+ rta *a0, *a = NULL;
ip_addr prefix;
int pxlen, err = 0;
u32 path_id = 0;
@@ -1234,7 +1233,6 @@ bgp_do_rx_update(struct bgp_conn *conn,
if (a0 && ! bgp_set_next_hop(p, a0))
a0 = NULL;
- a = NULL;
last_id = 0;
src = p->p.main_source;