forked from Mirror/frr
[bgpd] Bug #533: Fix crash with copy/pasted commands, inc 'no bgp ...'
* bgpd.c: Removal of (struct bgp *) from the master list was being left to bgp_free time. This meant there was a window of time between bgp_delete and refcounts hitting 0 (e.g. routes to be processed) where bgp_lookup's could return a deleted (struct bgp *). (bgp_delete) This is the logical place where a (struct bgp *) should lose its visibility, so move the deletion from the bgp-master list to here, from bgp_free. Many thanks to Fritz Reichmann for his thorough debugging of the problem and testing of fixes and Chris Caputo for his further analysis.
This commit is contained in:
Paul Jakma
parent
3fa3f957e7
commit
fd35b948db
|
|
@ -2074,6 +2074,11 @@ bgp_delete (struct bgp *bgp)
|
||||||
bgp->peer_self = NULL;
|
bgp->peer_self = NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Remove visibility via the master list - there may however still be
|
||||||
|
* routes to be processed still referencing the struct bgp.
|
||||||
|
*/
|
||||||
|
listnode_delete (bm->bgp, bgp);
|
||||||
|
|
||||||
bgp_unlock(bgp); /* initial reference */
|
bgp_unlock(bgp); /* initial reference */
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|
@ -2104,8 +2109,6 @@ bgp_free (struct bgp *bgp)
|
||||||
list_delete (bgp->peer);
|
list_delete (bgp->peer);
|
||||||
list_delete (bgp->rsclient);
|
list_delete (bgp->rsclient);
|
||||||
|
|
||||||
listnode_delete (bm->bgp, bgp);
|
|
||||||
|
|
||||||
if (bgp->name)
|
if (bgp->name)
|
||||||
free (bgp->name);
|
free (bgp->name);
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue