bgp_delete() really needs to kill t_startup, otherwise after creating and quickly destroying a BGP instance it may fire on a deallocated struct bgp, overwriting memory.
Reported-by: Martin Winter <[email protected]> Fixes: dd49eb1 ("Fix BGP's use of restart bit.") Cc: Vipin Kumar <[email protected]> Signed-off-by: David Lamparter <[email protected]> --- I'll be pushing this rather quickly due to the simplicity and severity of the issue. Any objections? --- bgpd/bgpd.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/bgpd/bgpd.c b/bgpd/bgpd.c index 79bcaaf..d72708e 100644 --- a/bgpd/bgpd.c +++ b/bgpd/bgpd.c @@ -2103,6 +2103,8 @@ bgp_delete (struct bgp *bgp) afi_t afi; int i; + THREAD_OFF (bgp->t_startup); + /* Delete static route. */ bgp_static_delete (bgp); -- 1.8.5.5 _______________________________________________ Quagga-dev mailing list [email protected] https://lists.quagga.net/mailman/listinfo/quagga-dev
