summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHenning Brauer <henning@cvs.openbsd.org>2006-07-30 16:27:29 +0000
committerHenning Brauer <henning@cvs.openbsd.org>2006-07-30 16:27:29 +0000
commit169e70e80afebd781d28e396e81ef57692eded9e (patch)
tree180e36325fa20942a91cd33d6d0096a0a1486303
parent1dd8351a33c6c5e92f32cab5b1999d2fb40dd27c (diff)
there's a nasty little race condition when the neigbor reached max-prefix
and at the same time there is messages from him in the socket buffer, because we process the imsgs from the RDE (which tells us max-prefix was reached) first, and put the session to IDLE, close connection and deallocate buffers. if we then try to read from the socket and write to the deallocated buffer we crash, of course. so check wether we have a buffer before reading. crash seen and fix tested by "Sylwester S. Biernacki" <obeer@obeer.com>
-rw-r--r--usr.sbin/bgpd/session.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/usr.sbin/bgpd/session.c b/usr.sbin/bgpd/session.c
index 2b1b28a4a36..081f62ca6a5 100644
--- a/usr.sbin/bgpd/session.c
+++ b/usr.sbin/bgpd/session.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: session.c,v 1.255 2006/07/28 15:04:34 henning Exp $ */
+/* $OpenBSD: session.c,v 1.256 2006/07/30 16:27:28 henning Exp $ */
/*
* Copyright (c) 2003, 2004, 2005 Henning Brauer <henning@openbsd.org>
@@ -1550,7 +1550,7 @@ session_dispatch_msg(struct pollfd *pfd, struct peer *p)
return (1);
}
- if (pfd->revents & POLLIN) {
+ if (p->rbuf && pfd->revents & POLLIN) {
if ((n = read(p->fd, p->rbuf->buf + p->rbuf->wpos,
sizeof(p->rbuf->buf) - p->rbuf->wpos)) == -1) {
if (errno != EINTR && errno != EAGAIN) {