bgpd: Prevent use after free

When bgp_stop finishes and it deletes the peer it is sending back a return code stating that the peer was deleted, but the code was operating like it was not deleted and continued to access the data structure. Fix. Signed-off-by: Donald Sharp <sharpd@nvidia.com>
donaldsharp · Aug 25, 2023 · 5160672 · 5160672
1 parent d4a9b10
commit 5160672
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/bgpd/bgp_fsm.c b/bgpd/bgp_fsm.c
@@ -2675,7 +2675,6 @@ int bgp_event_update(struct peer *peer, enum bgp_fsm_events event)
 		bgp_timer_set(peer);
 		break;
 	case BGP_FSM_FAILURE:
-	case BGP_FSM_FAILURE_AND_DELETE:
 		/*
 		 * If we got a return value of -1, that means there was an
 		 * error, restart the FSM. Since bgp_stop() was called on the
@@ -2699,7 +2698,9 @@ int bgp_event_update(struct peer *peer, enum bgp_fsm_events event)
 			bgp_timer_set(peer);
 		}
 		fsm_result = FSM_PEER_STOPPED;
-
+		break;
+	case BGP_FSM_FAILURE_AND_DELETE:
+		fsm_result = FSM_PEER_STOPPED;
 		break;
 	}