bgpd: bgp_clear_adj_in|remove dest may be freed

donaldsharp · donaldsharp · commit ec8a02af45d0 · 2023-09-10T12:14:00.000-04:00
dest will not be freed due to lock but coverity does not know
that.  Give it a hint.  This change includes modifying bgp_dest_unlock_node
to return the dest pointer so that we can determine if we should
continue working on dest or not with an assert.  Since this
is lock based we should be ok.

Signed-off-by: Donald Sharp &lt;sharpd@nvidia.com&gt;
diff --git a/bgpd/bgp_advertise.c b/bgpd/bgp_advertise.c
@@ -188,11 +188,11 @@ void bgp_adj_in_set(struct bgp_dest *dest, struct peer *peer, struct attr *attr,
 	bgp_dest_lock_node(dest);
 }
 
-void bgp_adj_in_remove(struct bgp_dest *dest, struct bgp_adj_in *bai)
+void bgp_adj_in_remove(struct bgp_dest **dest, struct bgp_adj_in *bai)
 {
 	bgp_attr_unintern(&bai->attr);
-	BGP_ADJ_IN_DEL(dest, bai);
-	bgp_dest_unlock_node(dest);
+	BGP_ADJ_IN_DEL(*dest, bai);
+	*dest = bgp_dest_unlock_node(*dest);
 	peer_unlock(bai->peer); /* adj_in peer reference */
 	XFREE(MTYPE_BGP_ADJ_IN, bai);
 }
@@ -212,9 +212,11 @@ bool bgp_adj_in_unset(struct bgp_dest *dest, struct peer *peer,
 		adj_next = adj->next;
 
 		if (adj->peer == peer && adj->addpath_rx_id == addpath_id)
-			bgp_adj_in_remove(dest, adj);
+			bgp_adj_in_remove(&dest, adj);
 
 		adj = adj_next;
+
+		assert(dest);
 	}
 
 	return true;
diff --git a/bgpd/bgp_advertise.h b/bgpd/bgp_advertise.h
@@ -132,7 +132,7 @@ extern void bgp_adj_in_set(struct bgp_dest *dest, struct peer *peer,
 			   struct attr *attr, uint32_t addpath_id);
 extern bool bgp_adj_in_unset(struct bgp_dest *dest, struct peer *peer,
 			     uint32_t addpath_id);
-extern void bgp_adj_in_remove(struct bgp_dest *dest, struct bgp_adj_in *bai);
+extern void bgp_adj_in_remove(struct bgp_dest **dest, struct bgp_adj_in *bai);
 
 extern unsigned int bgp_advertise_attr_hash_key(const void *p);
 extern bool bgp_advertise_attr_hash_cmp(const void *p1, const void *p2);
diff --git a/bgpd/bgp_route.c b/bgpd/bgp_route.c
@@ -5671,9 +5671,11 @@ static void bgp_clear_route_table(struct peer *peer, afi_t afi, safi_t safi,
 			ain_next = ain->next;
 
 			if (ain->peer == peer)
-				bgp_adj_in_remove(dest, ain);
+				bgp_adj_in_remove(&dest, ain);
 
 			ain = ain_next;
+
+			assert(dest);
 		}
 
 		for (pi = bgp_dest_get_bgp_path_info(dest); pi; pi = next) {
@@ -5778,9 +5780,11 @@ void bgp_clear_adj_in(struct peer *peer, afi_t afi, safi_t safi)
 			ain_next = ain->next;
 
 			if (ain->peer == peer)
-				bgp_adj_in_remove(dest, ain);
+				bgp_adj_in_remove(&dest, ain);
 
 			ain = ain_next;
+
+			assert(dest);
 		}
 	}
 }
diff --git a/bgpd/bgp_table.c b/bgpd/bgp_table.c
@@ -75,7 +75,7 @@ const char *bgp_dest_get_prefix_str(struct bgp_dest *dest)
 /*
  * bgp_dest_unlock_node
  */
-inline void bgp_dest_unlock_node(struct bgp_dest *dest)
+inline struct bgp_dest *bgp_dest_unlock_node(struct bgp_dest *dest)
 {
 	frrtrace(1, frr_bgp, bgp_dest_unlock, dest);
 	bgp_delete_listnode(dest);
@@ -89,9 +89,12 @@ inline void bgp_dest_unlock_node(struct bgp_dest *dest)
 						   rt->safi);
 		}
 		XFREE(MTYPE_BGP_NODE, dest);
+		dest = NULL;
 		rn->info = NULL;
 	}
 	route_unlock_node(rn);
+
+	return dest;
 }
 
 /*
diff --git a/bgpd/bgp_table.h b/bgpd/bgp_table.h
@@ -112,7 +112,7 @@ extern struct bgp_table *bgp_table_init(struct bgp *bgp, afi_t, safi_t);
 extern void bgp_table_lock(struct bgp_table *);
 extern void bgp_table_unlock(struct bgp_table *);
 extern void bgp_table_finish(struct bgp_table **);
-extern void bgp_dest_unlock_node(struct bgp_dest *dest);
+extern struct bgp_dest *bgp_dest_unlock_node(struct bgp_dest *dest);
 extern struct bgp_dest *bgp_dest_lock_node(struct bgp_dest *dest);
 extern const char *bgp_dest_get_prefix_str(struct bgp_dest *dest);
 

Original file line number	Diff line number	Diff line change
`@@ -188,11 +188,11 @@ void bgp_adj_in_set(struct bgp_dest dest, struct peer peer, struct attr *attr,`
`188`	`188`	`bgp_dest_lock_node(dest);`
`189`	`189`	`}`
`190`	`190`
`191`		`-void bgp_adj_in_remove(struct bgp_dest dest, struct bgp_adj_in bai)`
	`191`	`+void bgp_adj_in_remove(struct bgp_dest *dest, struct bgp_adj_in bai)`
`192`	`192`	`{`
`193`	`193`	`bgp_attr_unintern(&bai->attr);`
`194`		`- BGP_ADJ_IN_DEL(dest, bai);`
`195`		`- bgp_dest_unlock_node(dest);`
	`194`	`+ BGP_ADJ_IN_DEL(*dest, bai);`
	`195`	`+ dest = bgp_dest_unlock_node(dest);`
`196`	`196`	`peer_unlock(bai->peer); /* adj_in peer reference */`
`197`	`197`	`XFREE(MTYPE_BGP_ADJ_IN, bai);`
`198`	`198`	`}`
`@@ -212,9 +212,11 @@ bool bgp_adj_in_unset(struct bgp_dest dest, struct peer peer,`
`212`	`212`	`adj_next = adj->next;`
`213`	`213`
`214`	`214`	`if (adj->peer == peer && adj->addpath_rx_id == addpath_id)`
`215`		`- bgp_adj_in_remove(dest, adj);`
	`215`	`+ bgp_adj_in_remove(&dest, adj);`
`216`	`216`
`217`	`217`	`adj = adj_next;`
	`218`	`+`
	`219`	`+ assert(dest);`
`218`	`220`	`}`
`219`	`221`
`220`	`222`	`return true;`
Original file line number	Diff line number	Diff line change
`@@ -5671,9 +5671,11 @@ static void bgp_clear_route_table(struct peer *peer, afi_t afi, safi_t safi,`
`5671`	`5671`	`ain_next = ain->next;`
`5672`	`5672`
`5673`	`5673`	`if (ain->peer == peer)`
`5674`		`- bgp_adj_in_remove(dest, ain);`
	`5674`	`+ bgp_adj_in_remove(&dest, ain);`
`5675`	`5675`
`5676`	`5676`	`ain = ain_next;`
	`5677`	`+`
	`5678`	`+ assert(dest);`
`5677`	`5679`	`}`
`5678`	`5680`
`5679`	`5681`	`for (pi = bgp_dest_get_bgp_path_info(dest); pi; pi = next) {`
`@@ -5778,9 +5780,11 @@ void bgp_clear_adj_in(struct peer *peer, afi_t afi, safi_t safi)`
`5778`	`5780`	`ain_next = ain->next;`
`5779`	`5781`
`5780`	`5782`	`if (ain->peer == peer)`
`5781`		`- bgp_adj_in_remove(dest, ain);`
	`5783`	`+ bgp_adj_in_remove(&dest, ain);`
`5782`	`5784`
`5783`	`5785`	`ain = ain_next;`
	`5786`	`+`
	`5787`	`+ assert(dest);`
`5784`	`5788`	`}`
`5785`	`5789`	`}`
`5786`	`5790`	`}`
Original file line number	Diff line number	Diff line change
`@@ -75,7 +75,7 @@ const char bgp_dest_get_prefix_str(struct bgp_dest dest)`
`75`	`75`	`/*`
`76`	`76`	`* bgp_dest_unlock_node`
`77`	`77`	`*/`
`78`		`-inline void bgp_dest_unlock_node(struct bgp_dest *dest)`
	`78`	`+inline struct bgp_dest bgp_dest_unlock_node(struct bgp_dest dest)`
`79`	`79`	`{`
`80`	`80`	`frrtrace(1, frr_bgp, bgp_dest_unlock, dest);`
`81`	`81`	`bgp_delete_listnode(dest);`
`@@ -89,9 +89,12 @@ inline void bgp_dest_unlock_node(struct bgp_dest *dest)`
`89`	`89`	`rt->safi);`
`90`	`90`	`}`
`91`	`91`	`XFREE(MTYPE_BGP_NODE, dest);`
	`92`	`+ dest = NULL;`
`92`	`93`	`rn->info = NULL;`
`93`	`94`	`}`
`94`	`95`	`route_unlock_node(rn);`
	`96`	`+`
	`97`	`+ return dest;`
`95`	`98`	`}`
`96`	`99`
`97`	`100`	`/*`