Fix bug in bgp_connection not clearing pointers after free. Planted

asserts to try to track timer crash.

2 files changed, 15 insertions, 2 deletions

diff --git a/bgpd/bgp_connection.c b/bgpd/bgp_connection.c
index 690b2903..dcfd57e7 100644
--- a/bgpd/bgp_connection.c
+++ b/bgpd/bgp_connection.c
@@ -572,8 +572,16 @@ bgp_connection_close(bgp_connection connection)
     bgp_connection_disable_accept(connection) ;
 
   /* forget any addresses                                               */
-  sockunion_clear(connection->su_local) ;
-  sockunion_clear(connection->su_remote) ;
+  if (connection->su_local != NULL)
+    {
+      sockunion_clear(connection->su_local) ;
+      connection->su_local = NULL;
+    }
+  if (connection->su_remote != NULL)
+    {
+      sockunion_clear(connection->su_remote) ;
+      connection->su_remote = NULL;
+    }
 
   /* Unset all the timers                                               */
   qtimer_unset(&connection->hold_timer) ;
diff --git a/bgpd/bgp_fsm.c b/bgpd/bgp_fsm.c
index bd1eb600..97c60b1c 100644
--- a/bgpd/bgp_fsm.c
+++ b/bgpd/bgp_fsm.c
@@ -1556,6 +1556,9 @@ bgp_fsm_event(bgp_connection connection, bgp_fsm_event_t event)
 
   do
     {
+      assert(bgp_nexus->pile == connection->hold_timer.pile);
+      assert(bgp_nexus->pile == connection->keepalive_timer.pile);
+
       assert(connection->fsm_active == 1) ;
 
       fsm = &bgp_fsm[connection->state][event] ;
@@ -1596,6 +1599,8 @@ bgp_fsm_event(bgp_connection connection, bgp_fsm_event_t event)
       event = connection->post ;
       connection->post = bgp_fsm_null_event ;
 
+      assert(bgp_nexus->pile == connection->hold_timer.pile);
+      assert(bgp_nexus->pile == connection->keepalive_timer.pile);
     } while (--connection->fsm_active != 0) ;
 
   /* If required, post session event.                                   */