From 0f5054f6850c7419933a6337a34263f565663ee3 Mon Sep 17 00:00:00 2001 From: Pavel Tvrdik Date: Thu, 8 Sep 2016 13:45:36 +0200 Subject: BFD: Fix invalid read from pollfd array It is possible that sockets_add() are called between sockets_prepare() and sockets_fire() during poll loop in birdloop_main(), so we need to use loop->poll_fd.used instead of loop->sock_num to find the last field. --- proto/bfd/io.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'proto/bfd') diff --git a/proto/bfd/io.c b/proto/bfd/io.c index 79ed9af7..8f4f5007 100644 --- a/proto/bfd/io.c +++ b/proto/bfd/io.c @@ -589,7 +589,7 @@ sockets_fire(struct birdloop *loop) times_update(loop); /* Last fd is internal wakeup fd */ - if (pfd[loop->sock_num].revents & POLLIN) + if (pfd[poll_num].revents & POLLIN) wakeup_drain(loop); int i; -- cgit v1.2.3