Download raw body.
bgpd: fix possible use-after-free in up_generate_addpath()
The code around adjout_prefix_withdraw() is a bit too complex to be sure
that there is never a case where the prefix is removed and freed. So use
the safe idiom to fetch the next element before calling
adjout_prefix_withdraw().
Fix for CID 500335
--
:wq Claudio
Index: rde_update.c
===================================================================
RCS file: /cvs/src/usr.sbin/bgpd/rde_update.c,v
diff -u -p -r1.186 rde_update.c
--- rde_update.c 2 Dec 2025 13:03:35 -0000 1.186
+++ rde_update.c 3 Dec 2025 09:40:42 -0000
@@ -258,7 +258,7 @@ void
up_generate_addpath(struct rde_peer *peer, struct rib_entry *re)
{
struct prefix *new;
- struct adjout_prefix *head, *p;
+ struct adjout_prefix *head, *p, *np;
int maxpaths = 0, extrapaths = 0, extra;
int checkmode = 1;
@@ -332,7 +332,8 @@ up_generate_addpath(struct rde_peer *pee
}
/* withdraw stale paths */
- for (p = head; p != NULL; p = adjout_prefix_next(peer, p)) {
+ for (p = head; p != NULL; p = np) {
+ np = adjout_prefix_next(peer, p);
if (p->flags & PREFIX_ADJOUT_FLAG_STALE)
adjout_prefix_withdraw(peer, p);
}
bgpd: fix possible use-after-free in up_generate_addpath()