in session_dispatch_msg, in the loop where we suck the messages out of the

buffers, we need to check wether the buffers are still there before trying to
get the next message. the previous one might have caused the session to drop
back to the IDLE state, which implies that those buffers have been
deallocated.

ok claudio@

1 files changed, 10 insertions, 1 deletions

diff --git a/usr.sbin/bgpd/session.c b/usr.sbin/bgpd/session.c
index 9c954c3e07a..69f27906c15 100644
--- a/usr.sbin/bgpd/session.c
+++ b/usr.sbin/bgpd/session.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: session.c,v 1.69 2004/01/06 20:41:55 henning Exp $ */
+/*	$OpenBSD: session.c,v 1.70 2004/01/06 20:44:15 henning Exp $ */
 
 /*
  * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -1046,9 +1046,15 @@ session_dispatch_msg(struct pollfd *pfd, struct peer *peer)
 			av = peer->rbuf->wpos + n;
 			peer->stats.last_read = time(NULL);
 
+			/*
+			 * session might drop to IDLE -> buffers deallocated
+			 * we MUST check rbuf != NULL before use
+			 */
 			for (;;) {
 				if (rpos + MSGSIZE_HEADER > av)
 					break;
+				if (peer->rbuf == NULL)
+					break;
 				if (parse_header(peer, peer->rbuf->buf + rpos,
 				    &msglen, &msgtype) == -1)
 					return (0);
@@ -1082,6 +1088,9 @@ session_dispatch_msg(struct pollfd *pfd, struct peer *peer)
 				}
 				rpos += msglen;
 			}
+			if (peer->rbuf == NULL)
+				return (1);
+
 			if (rpos < av) {
 				left = av - rpos;
 				memcpy(&peer->rbuf->buf, peer->rbuf->buf + rpos,