From 2bda497f258ed75638bc79eaad7483b16b904fb4 Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@nvidia.com>
Date: Tue, 19 Mar 2024 10:34:51 -0400
Subject: [PATCH] bgpd: Prevent use after free in bgp_path_info_reap

bgp_path_info_unlock can free the pi, yet the hook
call into bgp_snmp_update_stats is passing the pi.
This will cause problems with this usage pattern
somewhere along the way.  Let's just reverse the
order and let SNMP do it's magic before freeing.

Signed-off-by: Donald Sharp <sharpd@nvidia.com>
---
 bgpd/bgp_route.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/bgpd/bgp_route.c b/bgpd/bgp_route.c
index 4533565b7f3e..34f45920d511 100644
--- a/bgpd/bgp_route.c
+++ b/bgpd/bgp_route.c
@@ -462,8 +462,9 @@ struct bgp_dest *bgp_path_info_reap(struct bgp_dest *dest,
 		bgp_dest_set_bgp_path_info(dest, pi->next);
 
 	bgp_path_info_mpath_dequeue(pi);
-	bgp_path_info_unlock(pi);
+
 	hook_call(bgp_snmp_update_stats, dest, pi, false);
+	bgp_path_info_unlock(pi);
 
 	return bgp_dest_unlock_node(dest);
 }