From 5160672d99ad4f583376542f04c9e68d357f9f73 Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@nvidia.com>
Date: Fri, 25 Aug 2023 10:43:56 -0400
Subject: [PATCH] bgpd: Prevent use after free

When bgp_stop finishes and it deletes the peer it is sending
back a return code stating that the peer was deleted, but
the code was operating like it was not deleted and continued
to access the data structure.  Fix.

Signed-off-by: Donald Sharp <sharpd@nvidia.com>
---
 bgpd/bgp_fsm.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/bgpd/bgp_fsm.c b/bgpd/bgp_fsm.c
index d08159eb50fb..92038a73e4e2 100644
--- a/bgpd/bgp_fsm.c
+++ b/bgpd/bgp_fsm.c
@@ -2675,7 +2675,6 @@ int bgp_event_update(struct peer *peer, enum bgp_fsm_events event)
 		bgp_timer_set(peer);
 		break;
 	case BGP_FSM_FAILURE:
-	case BGP_FSM_FAILURE_AND_DELETE:
 		/*
 		 * If we got a return value of -1, that means there was an
 		 * error, restart the FSM. Since bgp_stop() was called on the
@@ -2699,7 +2698,9 @@ int bgp_event_update(struct peer *peer, enum bgp_fsm_events event)
 			bgp_timer_set(peer);
 		}
 		fsm_result = FSM_PEER_STOPPED;
-
+		break;
+	case BGP_FSM_FAILURE_AND_DELETE:
+		fsm_result = FSM_PEER_STOPPED;
 		break;
 	}