From 702e2bcef28f259e988f8df30ecf11c957c72797 Mon Sep 17 00:00:00 2001 From: "Ondrej Zajicek (work)" Date: Thu, 11 Feb 2016 16:38:28 +0100 Subject: [PATCH] BGP: Fix bug in incoming connection handling When a BGP session was established by an outgoing connection with Graceful Restart behavior negotiated, a pending incoming connection in OpenSent state, and another incoming connection was received, then the outgoing connection (and whole BGP session) was closed, but the old incoming connection was just overwritten by the new one. That later caused a crash when the hold timer from the old connection fired. --- proto/bgp/bgp.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/proto/bgp/bgp.c b/proto/bgp/bgp.c index 5723f8f3..e94fd4ed 100644 --- a/proto/bgp/bgp.c +++ b/proto/bgp/bgp.c @@ -815,7 +815,13 @@ bgp_incoming_connection(sock *sk, int dummy UNUSED) return 0; } - /* We are in proper state and there is no other incoming connection */ + /* + * BIRD should keep multiple incoming connections in OpenSent state (for + * details RFC 4271 8.2.1 par 3), but it keeps just one. Duplicate incoming + * connections are rejected istead. The exception is the case where an + * incoming connection triggers a graceful restart. + */ + acc = (p->p.proto_state == PS_START || p->p.proto_state == PS_UP) && (p->start_state >= BSS_CONNECT) && (!p->incoming_conn.sk); @@ -825,6 +831,10 @@ bgp_incoming_connection(sock *sk, int dummy UNUSED) bgp_handle_graceful_restart(p); bgp_conn_enter_idle_state(p->conn); acc = 1; + + /* There might be separate incoming connection in OpenSent state */ + if (p->incoming_conn.state > BS_ACTIVE) + bgp_close_conn(&p->incoming_conn); } BGP_TRACE(D_EVENTS, "Incoming connection from %I%J (port %d) %s",