From 169e70e80afebd781d28e396e81ef57692eded9e Mon Sep 17 00:00:00 2001 From: Henning Brauer Date: Sun, 30 Jul 2006 16:27:29 +0000 Subject: there's a nasty little race condition when the neigbor reached max-prefix and at the same time there is messages from him in the socket buffer, because we process the imsgs from the RDE (which tells us max-prefix was reached) first, and put the session to IDLE, close connection and deallocate buffers. if we then try to read from the socket and write to the deallocated buffer we crash, of course. so check wether we have a buffer before reading. crash seen and fix tested by "Sylwester S. Biernacki" --- usr.sbin/bgpd/session.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr.sbin/bgpd/session.c b/usr.sbin/bgpd/session.c index 2b1b28a4a36..081f62ca6a5 100644 --- a/usr.sbin/bgpd/session.c +++ b/usr.sbin/bgpd/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.255 2006/07/28 15:04:34 henning Exp $ */ +/* $OpenBSD: session.c,v 1.256 2006/07/30 16:27:28 henning Exp $ */ /* * Copyright (c) 2003, 2004, 2005 Henning Brauer @@ -1550,7 +1550,7 @@ session_dispatch_msg(struct pollfd *pfd, struct peer *p) return (1); } - if (pfd->revents & POLLIN) { + if (p->rbuf && pfd->revents & POLLIN) { if ((n = read(p->fd, p->rbuf->buf + p->rbuf->wpos, sizeof(p->rbuf->buf) - p->rbuf->wpos)) == -1) { if (errno != EINTR && errno != EAGAIN) { -- cgit v1.2.3