diff options
author | Henning Brauer <henning@cvs.openbsd.org> | 2006-07-30 16:27:29 +0000 |
---|---|---|
committer | Henning Brauer <henning@cvs.openbsd.org> | 2006-07-30 16:27:29 +0000 |
commit | 169e70e80afebd781d28e396e81ef57692eded9e (patch) | |
tree | 180e36325fa20942a91cd33d6d0096a0a1486303 | |
parent | 1dd8351a33c6c5e92f32cab5b1999d2fb40dd27c (diff) |
there's a nasty little race condition when the neigbor reached max-prefix
and at the same time there is messages from him in the socket buffer,
because we process the imsgs from the RDE (which tells us max-prefix was
reached) first, and put the session to IDLE, close connection and
deallocate buffers. if we then try to read from the socket and write to the
deallocated buffer we crash, of course. so check wether we have a buffer
before reading.
crash seen and fix tested by "Sylwester S. Biernacki" <obeer@obeer.com>
-rw-r--r-- | usr.sbin/bgpd/session.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/usr.sbin/bgpd/session.c b/usr.sbin/bgpd/session.c index 2b1b28a4a36..081f62ca6a5 100644 --- a/usr.sbin/bgpd/session.c +++ b/usr.sbin/bgpd/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.255 2006/07/28 15:04:34 henning Exp $ */ +/* $OpenBSD: session.c,v 1.256 2006/07/30 16:27:28 henning Exp $ */ /* * Copyright (c) 2003, 2004, 2005 Henning Brauer <henning@openbsd.org> @@ -1550,7 +1550,7 @@ session_dispatch_msg(struct pollfd *pfd, struct peer *p) return (1); } - if (pfd->revents & POLLIN) { + if (p->rbuf && pfd->revents & POLLIN) { if ((n = read(p->fd, p->rbuf->buf + p->rbuf->wpos, sizeof(p->rbuf->buf) - p->rbuf->wpos)) == -1) { if (errno != EINTR && errno != EAGAIN) { |