bgpd: Prevent use after free in bgp_path_info_reap

bgp_path_info_unlock can free the pi, yet the hook call into bgp_snmp_update_stats is passing the pi. This will cause problems with this usage pattern somewhere along the way. Let's just reverse the order and let SNMP do it's magic before freeing. Signed-off-by: Donald Sharp <[email protected]>
donaldsharp · Mar 19, 2024 · 2bda497 · 2bda497
1 parent 7d5056e
commit 2bda497
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/bgpd/bgp_route.c b/bgpd/bgp_route.c
@@ -462,8 +462,9 @@ struct bgp_dest *bgp_path_info_reap(struct bgp_dest *dest,
 		bgp_dest_set_bgp_path_info(dest, pi->next);
 
 	bgp_path_info_mpath_dequeue(pi);
-	bgp_path_info_unlock(pi);
+
 	hook_call(bgp_snmp_update_stats, dest, pi, false);
+	bgp_path_info_unlock(pi);
 
 	return bgp_dest_unlock_node(dest);
 }