[quagga-dev 13371] [PATCH 11/11] BGP: crash from not NULLing freed pointers

Daniel Walton Wed, 21 Oct 2015 06:51:17 -0700

Signed-off-by: Daniel Walton <[email protected]>
Reviewed-by:   Donald Sharp <[email protected]>


There was a crash from not NULLing out peer->hostname but I cleaned
up a bunch of other suspect ones as well.
---
 bgpd/bgp_packet.c |   13 ++++++-
 bgpd/bgpd.c       |  105 ++++++++++++++++++++++++++++++++++++++---------------
 2 files changed, 87 insertions(+), 31 deletions(-)

diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
index e1ae494..4ab5b06 100644
--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
@@ -967,8 +967,13 @@ bgp_notify_send_with_data (struct peer *peer, u_char code, 
u_char sub_code,
            }
       }
     bgp_notify_print (peer, &bgp_notify, "sending");
+
     if (bgp_notify.data)
-      XFREE (MTYPE_TMP, bgp_notify.data);
+      {
+        XFREE (MTYPE_TMP, bgp_notify.data);
+        bgp_notify.data = NULL;
+        bgp_notify.length = 0;
+      }
   }
 
   if (BGP_DEBUG (normal, NORMAL))
@@ -1973,7 +1978,11 @@ bgp_notify_receive (struct peer *peer, bgp_size_t size)
 
     bgp_notify_print(peer, &bgp_notify, "received");
     if (bgp_notify.data)
-      XFREE (MTYPE_TMP, bgp_notify.data);
+      {
+        XFREE (MTYPE_TMP, bgp_notify.data);
+        bgp_notify.data = NULL;
+        bgp_notify.length = 0;
+      }
   }
 
   /* peer count update */
diff --git a/bgpd/bgpd.c b/bgpd/bgpd.c
index 1a10c2e..6000c70 100644
--- a/bgpd/bgpd.c
+++ b/bgpd/bgpd.c
@@ -721,21 +721,36 @@ peer_free (struct peer *peer)
   BGP_EVENT_FLUSH (peer);
   
   if (peer->desc)
-    XFREE (MTYPE_PEER_DESC, peer->desc);
+    {
+      XFREE (MTYPE_PEER_DESC, peer->desc);
+      peer->desc = NULL;
+    }
   
   /* Free allocated host character. */
   if (peer->host)
-    XFREE (MTYPE_BGP_PEER_HOST, peer->host);
-  
+    {
+      XFREE (MTYPE_BGP_PEER_HOST, peer->host);
+      peer->host = NULL;
+    }
+
   /* Update source configuration.  */
   if (peer->update_source)
-    sockunion_free (peer->update_source);
+    {
+      sockunion_free (peer->update_source);
+      peer->update_source = NULL;
+    }
   
   if (peer->update_if)
-    XFREE (MTYPE_PEER_UPDATE_SOURCE, peer->update_if);
+    {
+      XFREE (MTYPE_PEER_UPDATE_SOURCE, peer->update_if);
+      peer->update_if = NULL;
+    }
     
   if (peer->clear_node_queue)
-    work_queue_free (peer->clear_node_queue);
+    {
+      work_queue_free(peer->clear_node_queue);
+      peer->clear_node_queue = NULL;
+    }
   
   bgp_sync_delete (peer);
   memset (peer, 0, sizeof (struct peer));
@@ -1263,22 +1278,41 @@ peer_delete (struct peer *peer)
 
   /* Buffers.  */
   if (peer->ibuf)
-    stream_free (peer->ibuf);
+    {
+      stream_free (peer->ibuf);
+      peer->ibuf = NULL;
+    }
+
   if (peer->obuf)
-    stream_fifo_free (peer->obuf);
+    {
+      stream_fifo_free (peer->obuf);
+      peer->obuf = NULL;
+    }
+
   if (peer->work)
-    stream_free (peer->work);
+    {
+      stream_free (peer->work);
+      peer->work = NULL;
+    }
+
   if (peer->scratch)
-    stream_free(peer->scratch);
-  peer->obuf = NULL;
-  peer->work = peer->scratch = peer->ibuf = NULL;
+    {
+      stream_free(peer->scratch);
+      peer->scratch = NULL;
+    }
 
   /* Local and remote addresses. */
   if (peer->su_local)
-    sockunion_free (peer->su_local);
+    {
+      sockunion_free (peer->su_local);
+      peer->su_local = NULL;
+    }
+
   if (peer->su_remote)
-    sockunion_free (peer->su_remote);
-  peer->su_local = peer->su_remote = NULL;
+    {
+      sockunion_free (peer->su_remote);
+      peer->su_remote = NULL;
+    }
   
   /* Free filter related memory.  */
   for (afi = AFI_IP; afi < AFI_MAX; afi++)
@@ -1289,31 +1323,44 @@ peer_delete (struct peer *peer)
        for (i = FILTER_IN; i < FILTER_MAX; i++)
          {
            if (filter->dlist[i].name)
-             free (filter->dlist[i].name);
+              {
+                free(filter->dlist[i].name);
+                filter->dlist[i].name = NULL;
+              }
+
            if (filter->plist[i].name)
-             free (filter->plist[i].name);
+              {
+                free(filter->plist[i].name);
+                filter->plist[i].name = NULL;
+              }
+
            if (filter->aslist[i].name)
-             free (filter->aslist[i].name);
-            
-            filter->dlist[i].name = NULL;
-            filter->plist[i].name = NULL;
-            filter->aslist[i].name = NULL;
+              {
+                free(filter->aslist[i].name);
+                filter->aslist[i].name = NULL;
+              }
           }
+
         for (i = RMAP_IN; i < RMAP_MAX; i++)
           {
            if (filter->map[i].name)
-             free (filter->map[i].name);
-            filter->map[i].name = NULL;
+              {
+               free (filter->map[i].name);
+                filter->map[i].name = NULL;
+              }
          }
 
        if (filter->usmap.name)
-         free (filter->usmap.name);
+          {
+           free (filter->usmap.name);
+            filter->usmap.name = NULL;
+          }
 
        if (peer->default_rmap[afi][safi].name)
-         free (peer->default_rmap[afi][safi].name);
-        
-        filter->usmap.name = NULL;
-        peer->default_rmap[afi][safi].name = NULL;
+          {
+           free (peer->default_rmap[afi][safi].name);
+            peer->default_rmap[afi][safi].name = NULL;
+          }
       }
   
   peer_unlock (peer); /* initial reference */
-- 
1.7.10.4


_______________________________________________
Quagga-dev mailing list
[email protected]
https://lists.quagga.net/mailman/listinfo/quagga-dev

[quagga-dev 13371] [PATCH 11/11] BGP: crash from not NULLing freed pointers

Reply via email to