bgpd, lib: fix bgpd core on startup #12

qlyoung · 2016-12-16T22:39:25Z

Fixes #11

Edit: already in master

Signed-off-by: Quentin Young [email protected]

Signed-off-by: Quentin Young <[email protected]>

import Topolog

If path->net is NULL in the bgp_path_info_free() function, then bgpd would crash in bgp_addpath_free_info_data() with the following backtrace: (gdb) bt #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51 #1 0x00007ff7b267a42a in __GI_abort () at abort.c:89 #2 0x00007ff7b39c1ca0 in core_handler (signo=11, siginfo=0x7ffff66414f0, context=<optimized out>) at lib/sigevent.c:249 #3 <signal handler called> #4 idalloc_free_to_pool (pool_ptr=pool_ptr@entry=0x0, id=3) at lib/id_alloc.c:368 #5 0x0000560096246688 in bgp_addpath_free_info_data (d=d@entry=0x560098665468, nd=0x0) at bgpd/bgp_addpath.c:100 #6 0x00005600961bb522 in bgp_path_info_free (path=0x560098665400) at bgpd/bgp_route.c:252 #7 bgp_path_info_unlock (path=0x560098665400) at bgpd/bgp_route.c:276 #8 0x00005600961bb719 in bgp_path_info_reap (rn=rn@entry=0x5600986b2110, pi=pi@entry=0x560098665400) at bgpd/bgp_route.c:320 #9 0x00005600961bf4db in bgp_process_main_one (safi=SAFI_MPLS_VPN, afi=AFI_IP, rn=0x5600986b2110, bgp=0x560098587320) at bgpd/bgp_route.c:2476 #10 bgp_process_wq (wq=<optimized out>, data=0x56009869b8f0) at bgpd/bgp_route.c:2503 #11 0x00007ff7b39d5fcc in work_queue_run (thread=0x7ffff6641e10) at lib/workqueue.c:294 #12 0x00007ff7b39ce3b1 in thread_call (thread=thread@entry=0x7ffff6641e10) at lib/thread.c:1606 #13 0x00007ff7b39a3538 in frr_run (master=0x5600980795b0) at lib/libfrr.c:1011 #14 0x000056009618a5a3 in main (argc=3, argv=0x7ffff6642078) at bgpd/bgp_main.c:481 Add a null-check protection to fix this problem. Signed-off-by: Renato Westphal <[email protected]>

If path->net is NULL in the bgp_path_info_free() function, then bgpd would crash in bgp_addpath_free_info_data() with the following backtrace: (gdb) bt #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51 #1 0x00007ff7b267a42a in __GI_abort () at abort.c:89 #2 0x00007ff7b39c1ca0 in core_handler (signo=11, siginfo=0x7ffff66414f0, context=<optimized out>) at lib/sigevent.c:249 #3 <signal handler called> #4 idalloc_free_to_pool (pool_ptr=pool_ptr@entry=0x0, id=3) at lib/id_alloc.c:368 #5 0x0000560096246688 in bgp_addpath_free_info_data (d=d@entry=0x560098665468, nd=0x0) at bgpd/bgp_addpath.c:100 #6 0x00005600961bb522 in bgp_path_info_free (path=0x560098665400) at bgpd/bgp_route.c:252 #7 bgp_path_info_unlock (path=0x560098665400) at bgpd/bgp_route.c:276 #8 0x00005600961bb719 in bgp_path_info_reap (rn=rn@entry=0x5600986b2110, pi=pi@entry=0x560098665400) at bgpd/bgp_route.c:320 #9 0x00005600961bf4db in bgp_process_main_one (safi=SAFI_MPLS_VPN, afi=AFI_IP, rn=0x5600986b2110, bgp=0x560098587320) at bgpd/bgp_route.c:2476 FRRouting#10 bgp_process_wq (wq=<optimized out>, data=0x56009869b8f0) at bgpd/bgp_route.c:2503 FRRouting#11 0x00007ff7b39d5fcc in work_queue_run (thread=0x7ffff6641e10) at lib/workqueue.c:294 FRRouting#12 0x00007ff7b39ce3b1 in thread_call (thread=thread@entry=0x7ffff6641e10) at lib/thread.c:1606 FRRouting#13 0x00007ff7b39a3538 in frr_run (master=0x5600980795b0) at lib/libfrr.c:1011 FRRouting#14 0x000056009618a5a3 in main (argc=3, argv=0x7ffff6642078) at bgpd/bgp_main.c:481 Add a null-check protection to fix this problem. Signed-off-by: Renato Westphal <[email protected]>

Our Address Sanitizer CI is finding this issue: error 09-Oct-2019 19:28:33 r4: bgpd triggered an exception by AddressSanitizer error 09-Oct-2019 19:28:33 ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdd425b060 at pc 0x00000068575f bp 0x7ffdd4258550 sp 0x7ffdd4258540 error 09-Oct-2019 19:28:33 READ of size 1 at 0x7ffdd425b060 thread T0 error 09-Oct-2019 19:28:33 #0 0x68575e in prefix_cmp lib/prefix.c:776 error 09-Oct-2019 19:28:33 #1 0x5889f5 in rfapiItBiIndexSearch bgpd/rfapi/rfapi_import.c:2230 error 09-Oct-2019 19:28:33 #2 0x5889f5 in rfapiBgpInfoFilteredImportVPN bgpd/rfapi/rfapi_import.c:3520 error 09-Oct-2019 19:28:33 #3 0x58b909 in rfapiProcessWithdraw bgpd/rfapi/rfapi_import.c:4071 error 09-Oct-2019 19:28:33 #4 0x4c459b in bgp_withdraw bgpd/bgp_route.c:3736 error 09-Oct-2019 19:28:33 #5 0x484122 in bgp_nlri_parse_vpn bgpd/bgp_mplsvpn.c:237 error 09-Oct-2019 19:28:33 #6 0x497f52 in bgp_nlri_parse bgpd/bgp_packet.c:315 error 09-Oct-2019 19:28:33 #7 0x49d06d in bgp_update_receive bgpd/bgp_packet.c:1598 error 09-Oct-2019 19:28:33 #8 0x49d06d in bgp_process_packet bgpd/bgp_packet.c:2274 error 09-Oct-2019 19:28:33 #9 0x6b9f54 in thread_call lib/thread.c:1531 error 09-Oct-2019 19:28:33 #10 0x657037 in frr_run lib/libfrr.c:1052 error 09-Oct-2019 19:28:33 #11 0x42d268 in main bgpd/bgp_main.c:486 error 09-Oct-2019 19:28:33 #12 0x7f806032482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) error 09-Oct-2019 19:28:33 #13 0x42bcc8 in _start (/usr/lib/frr/bgpd+0x42bcc8) error 09-Oct-2019 19:28:33 error 09-Oct-2019 19:28:33 Address 0x7ffdd425b060 is located in stack of thread T0 at offset 240 in frame error 09-Oct-2019 19:28:33 #0 0x483945 in bgp_nlri_parse_vpn bgpd/bgp_mplsvpn.c:103 error 09-Oct-2019 19:28:33 error 09-Oct-2019 19:28:33 This frame has 5 object(s): error 09-Oct-2019 19:28:33 [32, 36) 'label' error 09-Oct-2019 19:28:33 [96, 108) 'rd_as' error 09-Oct-2019 19:28:33 [160, 172) 'rd_ip' error 09-Oct-2019 19:28:33 [224, 240) 'prd' <== Memory access at offset 240 overflows this variable error 09-Oct-2019 19:28:33 [288, 336) 'p' error 09-Oct-2019 19:28:33 HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext error 09-Oct-2019 19:28:33 (longjmp and C++ exceptions *are* supported) error 09-Oct-2019 19:28:33 SUMMARY: AddressSanitizer: stack-buffer-overflow lib/prefix.c:776 prefix_cmp error 09-Oct-2019 19:28:33 Shadow bytes around the buggy address: error 09-Oct-2019 19:28:33 0x10003a8435b0: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 error 09-Oct-2019 19:28:33 0x10003a8435c0: 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 error 09-Oct-2019 19:28:33 0x10003a8435d0: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 error 09-Oct-2019 19:28:33 0x10003a8435e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 error 09-Oct-2019 19:28:33 0x10003a8435f0: f1 f1 04 f4 f4 f4 f2 f2 f2 f2 00 04 f4 f4 f2 f2 error 09-Oct-2019 19:28:33 =>0x10003a843600: f2 f2 00 04 f4 f4 f2 f2 f2 f2 00 00[f4]f4 f2 f2 error 09-Oct-2019 19:28:33 0x10003a843610: f2 f2 00 00 00 00 00 00 f4 f4 f3 f3 f3 f3 00 00 error 09-Oct-2019 19:28:33 0x10003a843620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 error 09-Oct-2019 19:28:33 0x10003a843630: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 02 f4 error 09-Oct-2019 19:28:33 0x10003a843640: f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2 00 00 error 09-Oct-2019 19:28:33 0x10003a843650: f4 f4 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00 00 error 09-Oct-2019 19:28:33 Shadow byte legend (one shadow byte represents 8 application bytes): error 09-Oct-2019 19:28:33 Addressable: 00 error 09-Oct-2019 19:28:33 Partially addressable: 01 02 03 04 05 06 07 error 09-Oct-2019 19:28:33 Heap left redzone: fa error 09-Oct-2019 19:28:33 Heap right redzone: fb error 09-Oct-2019 19:28:33 Freed heap region: fd error 09-Oct-2019 19:28:33 Stack left redzone: f1 error 09-Oct-2019 19:28:33 Stack mid redzone: f2 error 09-Oct-2019 19:28:33 Stack right redzone: f3 error 09-Oct-2019 19:28:33 Stack partial redzone: f4 error 09-Oct-2019 19:28:33 Stack after return: f5 error 09-Oct-2019 19:28:33 Stack use after scope: f8 error 09-Oct-2019 19:28:33 Global redzone: f9 error 09-Oct-2019 19:28:33 Global init order: f6 error 09-Oct-2019 19:28:33 Poisoned by user: f7 error 09-Oct-2019 19:28:33 Container overflow: fc error 09-Oct-2019 19:28:33 Array cookie: ac error 09-Oct-2019 19:28:33 Intra object redzone: bb error 09-Oct-2019 19:28:33 ASan internal: fe error 09-Oct-2019 19:28:36 r3: Daemon bgpd not running This is the result of this code pattern in rfapi/rfapi_import.c: prefix_cmp((struct prefix *)&bpi_result->extra->vnc.import.rd, (struct prefix *)prd)) Effectively prd or vnc.import.rd are `struct prefix_rd` which are being typecast to a `struct prefix`. Not a big deal except commit 1315d74 modified the prefix_cmp function to allow for a sorted prefix_cmp. In prefix_cmp we were looking at the offset and shift. In the case of vnc we were passing a prefix length of 64 which is the exact length of the remaining data structure for struct prefix_rd. So we calculated a offset of 8 and a shift of 0. The data structures for the prefix portion happened to be equal to 64 bits of data. So we checked that with the memcmp got a 0 and promptly read off the end of the data structure for the numcmp. The fix is if shift is 0 that means thei the memcmp has checked everything and there is nothing to do. Please note: We will still crash if we set the prefixlen > then ~312 bits currently( ie if the prefixlen specifies a bit length longer than the prefix length ). I do not think there is anything to do here( nor am I sure how to correct this either ) as that we are going to have some severe problems when we muck up the prefixlen. Fixes: #5025 Signed-off-by: Donald Sharp <[email protected]>

Our Address Sanitizer CI is finding this issue: error 09-Oct-2019 19:28:33 r4: bgpd triggered an exception by AddressSanitizer error 09-Oct-2019 19:28:33 ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdd425b060 at pc 0x00000068575f bp 0x7ffdd4258550 sp 0x7ffdd4258540 error 09-Oct-2019 19:28:33 READ of size 1 at 0x7ffdd425b060 thread T0 error 09-Oct-2019 19:28:33 #0 0x68575e in prefix_cmp lib/prefix.c:776 error 09-Oct-2019 19:28:33 FRRouting#1 0x5889f5 in rfapiItBiIndexSearch bgpd/rfapi/rfapi_import.c:2230 error 09-Oct-2019 19:28:33 FRRouting#2 0x5889f5 in rfapiBgpInfoFilteredImportVPN bgpd/rfapi/rfapi_import.c:3520 error 09-Oct-2019 19:28:33 FRRouting#3 0x58b909 in rfapiProcessWithdraw bgpd/rfapi/rfapi_import.c:4071 error 09-Oct-2019 19:28:33 FRRouting#4 0x4c459b in bgp_withdraw bgpd/bgp_route.c:3736 error 09-Oct-2019 19:28:33 FRRouting#5 0x484122 in bgp_nlri_parse_vpn bgpd/bgp_mplsvpn.c:237 error 09-Oct-2019 19:28:33 FRRouting#6 0x497f52 in bgp_nlri_parse bgpd/bgp_packet.c:315 error 09-Oct-2019 19:28:33 FRRouting#7 0x49d06d in bgp_update_receive bgpd/bgp_packet.c:1598 error 09-Oct-2019 19:28:33 FRRouting#8 0x49d06d in bgp_process_packet bgpd/bgp_packet.c:2274 error 09-Oct-2019 19:28:33 FRRouting#9 0x6b9f54 in thread_call lib/thread.c:1531 error 09-Oct-2019 19:28:33 FRRouting#10 0x657037 in frr_run lib/libfrr.c:1052 error 09-Oct-2019 19:28:33 FRRouting#11 0x42d268 in main bgpd/bgp_main.c:486 error 09-Oct-2019 19:28:33 FRRouting#12 0x7f806032482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) error 09-Oct-2019 19:28:33 FRRouting#13 0x42bcc8 in _start (/usr/lib/frr/bgpd+0x42bcc8) error 09-Oct-2019 19:28:33 error 09-Oct-2019 19:28:33 Address 0x7ffdd425b060 is located in stack of thread T0 at offset 240 in frame error 09-Oct-2019 19:28:33 #0 0x483945 in bgp_nlri_parse_vpn bgpd/bgp_mplsvpn.c:103 error 09-Oct-2019 19:28:33 error 09-Oct-2019 19:28:33 This frame has 5 object(s): error 09-Oct-2019 19:28:33 [32, 36) 'label' error 09-Oct-2019 19:28:33 [96, 108) 'rd_as' error 09-Oct-2019 19:28:33 [160, 172) 'rd_ip' error 09-Oct-2019 19:28:33 [224, 240) 'prd' <== Memory access at offset 240 overflows this variable error 09-Oct-2019 19:28:33 [288, 336) 'p' error 09-Oct-2019 19:28:33 HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext error 09-Oct-2019 19:28:33 (longjmp and C++ exceptions *are* supported) error 09-Oct-2019 19:28:33 SUMMARY: AddressSanitizer: stack-buffer-overflow lib/prefix.c:776 prefix_cmp error 09-Oct-2019 19:28:33 Shadow bytes around the buggy address: error 09-Oct-2019 19:28:33 0x10003a8435b0: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 error 09-Oct-2019 19:28:33 0x10003a8435c0: 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 error 09-Oct-2019 19:28:33 0x10003a8435d0: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 error 09-Oct-2019 19:28:33 0x10003a8435e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 error 09-Oct-2019 19:28:33 0x10003a8435f0: f1 f1 04 f4 f4 f4 f2 f2 f2 f2 00 04 f4 f4 f2 f2 error 09-Oct-2019 19:28:33 =>0x10003a843600: f2 f2 00 04 f4 f4 f2 f2 f2 f2 00 00[f4]f4 f2 f2 error 09-Oct-2019 19:28:33 0x10003a843610: f2 f2 00 00 00 00 00 00 f4 f4 f3 f3 f3 f3 00 00 error 09-Oct-2019 19:28:33 0x10003a843620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 error 09-Oct-2019 19:28:33 0x10003a843630: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 02 f4 error 09-Oct-2019 19:28:33 0x10003a843640: f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2 00 00 error 09-Oct-2019 19:28:33 0x10003a843650: f4 f4 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00 00 error 09-Oct-2019 19:28:33 Shadow byte legend (one shadow byte represents 8 application bytes): error 09-Oct-2019 19:28:33 Addressable: 00 error 09-Oct-2019 19:28:33 Partially addressable: 01 02 03 04 05 06 07 error 09-Oct-2019 19:28:33 Heap left redzone: fa error 09-Oct-2019 19:28:33 Heap right redzone: fb error 09-Oct-2019 19:28:33 Freed heap region: fd error 09-Oct-2019 19:28:33 Stack left redzone: f1 error 09-Oct-2019 19:28:33 Stack mid redzone: f2 error 09-Oct-2019 19:28:33 Stack right redzone: f3 error 09-Oct-2019 19:28:33 Stack partial redzone: f4 error 09-Oct-2019 19:28:33 Stack after return: f5 error 09-Oct-2019 19:28:33 Stack use after scope: f8 error 09-Oct-2019 19:28:33 Global redzone: f9 error 09-Oct-2019 19:28:33 Global init order: f6 error 09-Oct-2019 19:28:33 Poisoned by user: f7 error 09-Oct-2019 19:28:33 Container overflow: fc error 09-Oct-2019 19:28:33 Array cookie: ac error 09-Oct-2019 19:28:33 Intra object redzone: bb error 09-Oct-2019 19:28:33 ASan internal: fe error 09-Oct-2019 19:28:36 r3: Daemon bgpd not running This is the result of this code pattern in rfapi/rfapi_import.c: prefix_cmp((struct prefix *)&bpi_result->extra->vnc.import.rd, (struct prefix *)prd)) Effectively prd or vnc.import.rd are `struct prefix_rd` which are being typecast to a `struct prefix`. Not a big deal except commit 1315d74 modified the prefix_cmp function to allow for a sorted prefix_cmp. In prefix_cmp we were looking at the offset and shift. In the case of vnc we were passing a prefix length of 64 which is the exact length of the remaining data structure for struct prefix_rd. So we calculated a offset of 8 and a shift of 0. The data structures for the prefix portion happened to be equal to 64 bits of data. So we checked that with the memcmp got a 0 and promptly read off the end of the data structure for the numcmp. The fix is if shift is 0 that means thei the memcmp has checked everything and there is nothing to do. Please note: We will still crash if we set the prefixlen > then ~312 bits currently( ie if the prefixlen specifies a bit length longer than the prefix length ). I do not think there is anything to do here( nor am I sure how to correct this either ) as that we are going to have some severe problems when we muck up the prefixlen. Fixes: FRRouting#5025 Signed-off-by: Donald Sharp <[email protected]>

The topotest bgp_srv6_sid_explicit generates the crash dump: ERROR: SEGV on unknown address 0x5110002dba30 (pc 0x55a58a813379 bp 0x7ffd2cc8ec50 sp 0x7ffd2cc8ec00 T0) The signal is caused by a READ memory access. #0 0x55a58a813379 in alloc_srv6_sid_func_explicit zebra/zebra_srv6.c:1264 FRRouting#1 0x55a58a815138 in get_srv6_sid_explicit zebra/zebra_srv6.c:1611 FRRouting#2 0x55a58a8166bb in get_srv6_sid zebra/zebra_srv6.c:1807 FRRouting#3 0x55a58a8191ef in srv6_manager_get_sid_internal zebra/zebra_srv6.c:2314 FRRouting#4 0x55a58a80c0aa in hook_call_srv6_manager_get_sid zebra/zebra_srv6.c:67 FRRouting#5 0x55a58a80c671 in srv6_manager_get_sid_call zebra/zebra_srv6.c:115 FRRouting#6 0x55a58a78e956 in zread_srv6_manager_get_srv6_sid zebra/zapi_msg.c:3245 FRRouting#7 0x55a58a78f1d8 in zread_srv6_manager_request zebra/zapi_msg.c:3313 FRRouting#8 0x55a58a799321 in zserv_handle_commands zebra/zapi_msg.c:4425 FRRouting#9 0x55a58a92473c in zserv_process_messages zebra/zserv.c:521 FRRouting#10 0x781c0f978970 in event_call lib/event.c:2011 FRRouting#11 0x781c0f843d11 in frr_run lib/libfrr.c:1219 FRRouting#12 0x55a58a73079d in main zebra/main.c:550 FRRouting#13 0x781c0f22a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 FRRouting#14 0x781c0f22a28a in __libc_start_main_impl ../csu/libc-start.c:360 FRRouting#15 0x55a58a6ec2b4 in _start (/usr/lib/frr/zebra+0x1d02b4) Fixes: 4e4588fa8f ("zebra: Add functions to alloc/release SRv6 SIDs") Signed-off-by: Dmytro Shytyi <[email protected]> Signed-off-by: Philippe Guibert <[email protected]>

bgp_flowspec.test_bgp_flowspec_topo started to fail (crash) after this. Let's revert it for now. It's freed a bit above already: hash_release(bpm->entry_hash, bpme); bgp_pbr_match_entry_free(bpme); ERROR: AddressSanitizer: attempting to call malloc_usable_size() for pointer which is not owned: 0x60e00009f8a0 #0 0x7f27d6cb7f04 in __interceptor_malloc_usable_size ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:119 #1 0x7f27d6c264f6 in __sanitizer::BufferedStackTrace::Unwind(unsigned long, unsigned long, void*, bool, unsigned int) ../../../../src/libsanitizer/sanitizer_common/sanitizer_stacktrace.h:131 #2 0x7f27d6c264f6 in __asan::asan_malloc_usable_size(void const*, unsigned long, unsigned long) ../../../../src/libsanitizer/asan/asan_allocator.cpp:1058 #3 0x7f27d68254df in mt_count_free lib/memory.c:83 #4 0x7f27d68254df in qfree lib/memory.c:135 #5 0x5637d57b04a2 in bgp_pbr_match_entry_free bgpd/bgp_pbr.c:977 #6 0x5637d57b04a2 in bgp_pbr_flush_entry bgpd/bgp_pbr.c:1737 #7 0x5637d57b40be in bgp_pbr_policyroute_remove_from_zebra_unit bgpd/bgp_pbr.c:1980 #8 0x5637d57bb7c0 in bgp_pbr_policyroute_remove_from_zebra bgpd/bgp_pbr.c:2144 #9 0x5637d57bb7c0 in bgp_pbr_handle_entry bgpd/bgp_pbr.c:2781 #10 0x5637d57bb7c0 in bgp_pbr_update_entry bgpd/bgp_pbr.c:2905 #11 0x5637d58d23e1 in bgp_zebra_withdraw_actual bgpd/bgp_zebra.c:1733 #12 0x5637d57ccc9e in bgp_cleanup_table bgpd/bgp_route.c:7300 #13 0x5637d57e27d2 in bgp_cleanup_routes bgpd/bgp_route.c:7318 #14 0x5637d5911b91 in bgp_delete bgpd/bgpd.c:4370 #15 0x5637d56961b4 in bgp_exit bgpd/bgp_main.c:212 #16 0x5637d56961b4 in sigint bgpd/bgp_main.c:162 #17 0x7f27d68af501 in frr_sigevent_process lib/sigevent.c:117 #18 0x7f27d68db77a in event_fetch lib/event.c:1742 #19 0x7f27d68027e4 in frr_run lib/libfrr.c:1251 #20 0x5637d5697c55 in main bgpd/bgp_main.c:569 #21 0x7f27d630c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #22 0x7f27d630c304 in __libc_start_main_impl ../csu/libc-start.c:360 #23 0x5637d5695ac0 in _start (/usr/lib/frr/bgpd+0x2cfac0) 0x60e00009f8a0 is located 0 bytes inside of 160-byte region [0x60e00009f8a0,0x60e00009f940) freed by thread T0 here: #0 0x7f27d6cb76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52 #1 0x7f27d6825500 in qfree lib/memory.c:136 #2 0x5637d57b0366 in bgp_pbr_match_entry_free bgpd/bgp_pbr.c:977 #3 0x5637d57b0366 in bgp_pbr_flush_entry bgpd/bgp_pbr.c:1715 #4 0x5637d57b40be in bgp_pbr_policyroute_remove_from_zebra_unit bgpd/bgp_pbr.c:1980 #5 0x5637d57bb7c0 in bgp_pbr_policyroute_remove_from_zebra bgpd/bgp_pbr.c:2144 #6 0x5637d57bb7c0 in bgp_pbr_handle_entry bgpd/bgp_pbr.c:2781 #7 0x5637d57bb7c0 in bgp_pbr_update_entry bgpd/bgp_pbr.c:2905 #8 0x5637d58d23e1 in bgp_zebra_withdraw_actual bgpd/bgp_zebra.c:1733 #9 0x5637d57ccc9e in bgp_cleanup_table bgpd/bgp_route.c:7300 #10 0x5637d57e27d2 in bgp_cleanup_routes bgpd/bgp_route.c:7318 #11 0x5637d5911b91 in bgp_delete bgpd/bgpd.c:4370 #12 0x5637d56961b4 in bgp_exit bgpd/bgp_main.c:212 #13 0x5637d56961b4 in sigint bgpd/bgp_main.c:162 #14 0x7f27d68af501 in frr_sigevent_process lib/sigevent.c:117 #15 0x7f27d68db77a in event_fetch lib/event.c:1742 #16 0x7f27d68027e4 in frr_run lib/libfrr.c:1251 #17 0x5637d5697c55 in main bgpd/bgp_main.c:569 #18 0x7f27d630c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 This reverts commit d0df550. Signed-off-by: Donatas Abraitis <[email protected]>

The following crash happens on a BGP setup with SRv6 used, when locator is updated with the func-bits value moving from 32 bits to 16 bits. > FRRouting#6 0x000061582b486b5c in memcpy (__len=<optimized out>, __src=<optimized out>, __dest=<optimized out>) > at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29 > FRRouting#7 vpn_leak_from_vrf_update (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040, > path_vrf=path_vrf@entry=0x6158364ef110) at bgpd/bgp_mplsvpn.c:2010 > FRRouting#8 0x000061582b48758b in vpn_leak_from_vrf_update_all (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040, > afi=<optimized out>) at bgpd/bgp_mplsvpn.c:2215 > FRRouting#9 0x000061582b48774d in vpn_leak_postchange (afi=afi@entry=AFI_IP, bgp_vpn=bgp_vpn@entry=0x6158364a0340, > bgp_vrf=bgp_vrf@entry=0x6158364c1040, direction=BGP_VPN_POLICY_DIR_TOVPN) at ./bgpd/bgp_mplsvpn.h:313 > FRRouting#10 0x000061582b489b4b in vpn_leak_postchange (bgp_vrf=0x6158364c1040, bgp_vpn=0x6158364a0340, afi=AFI_IP, direction=BGP_VPN_POLICY_DIR_TOVPN) > at ./bgpd/bgp_mplsvpn.h:273 > FRRouting#11 vpn_leak_postchange_all () at bgpd/bgp_mplsvpn.c:3978 > FRRouting#12 0x000061582b5219d5 in bgp_zebra_process_srv6_locator_delete (cmd=<optimized out>, zclient=<optimized out>, length=<optimized out>, > vrf_id=<optimized out>) at bgpd/bgp_zebra.c:3874 > FRRouting#13 0x0000766887b391ee in zclient_read (thread=<optimized out>) at lib/zclient.c:4804 > FRRouting#14 0x0000766887b2245e in event_call (thread=thread@entry=0x7ffc86531a30) at lib/event.c:2005 > FRRouting#15 0x0000766887ac2ed8 in frr_run (loop=0x615835c46fd0) at lib/libfrr.c:1252 > FRRouting#16 0x000061582b428163 in main (argc=<optimized out>, argv=0x7ffc86531cf8) at bgpd/bgp_main.c:565 > (gdb) > Actually, the SID allocated has been freed after the locator deleted event. Protect this part of code by checking the availability of the sid pointer. Signed-off-by: Philippe Guibert <[email protected]>

The topotest bgp_srv6_sid_explicit generates the crash dump: ERROR: SEGV on unknown address 0x5110002dba30 (pc 0x55a58a813379 bp 0x7ffd2cc8ec50 sp 0x7ffd2cc8ec00 T0) The signal is caused by a READ memory access. #0 0x55a58a813379 in alloc_srv6_sid_func_explicit zebra/zebra_srv6.c:1264 FRRouting#1 0x55a58a815138 in get_srv6_sid_explicit zebra/zebra_srv6.c:1611 FRRouting#2 0x55a58a8166bb in get_srv6_sid zebra/zebra_srv6.c:1807 FRRouting#3 0x55a58a8191ef in srv6_manager_get_sid_internal zebra/zebra_srv6.c:2314 FRRouting#4 0x55a58a80c0aa in hook_call_srv6_manager_get_sid zebra/zebra_srv6.c:67 FRRouting#5 0x55a58a80c671 in srv6_manager_get_sid_call zebra/zebra_srv6.c:115 FRRouting#6 0x55a58a78e956 in zread_srv6_manager_get_srv6_sid zebra/zapi_msg.c:3245 FRRouting#7 0x55a58a78f1d8 in zread_srv6_manager_request zebra/zapi_msg.c:3313 FRRouting#8 0x55a58a799321 in zserv_handle_commands zebra/zapi_msg.c:4425 FRRouting#9 0x55a58a92473c in zserv_process_messages zebra/zserv.c:521 FRRouting#10 0x781c0f978970 in event_call lib/event.c:2011 FRRouting#11 0x781c0f843d11 in frr_run lib/libfrr.c:1219 FRRouting#12 0x55a58a73079d in main zebra/main.c:550 FRRouting#13 0x781c0f22a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 FRRouting#14 0x781c0f22a28a in __libc_start_main_impl ../csu/libc-start.c:360 FRRouting#15 0x55a58a6ec2b4 in _start (/usr/lib/frr/zebra+0x1d02b4) Fixes: 4e4588fa8f ("zebra: Add functions to alloc/release SRv6 SIDs") Signed-off-by: Dmytro Shytyi <[email protected]> Signed-off-by: Philippe Guibert <[email protected]>

This commit addresses a leak where temporary memory allocated earlier by the `prefix_copy` function for AF_FLOWSPEC prefixes was not being freed. To ensure proper memory management, we now release this temporary memory by calling `prefix_flowspec_ptr_free`. The ASan leak log for reference: ``` *********************************************************************************** Address Sanitizer Error detected in bgp_flowspec.test_bgp_flowspec_topo/r1.asan.bgpd.11539 ================================================================= ==11539==ERROR: LeakSanitizer: detected memory leaks Direct leak of 56 byte(s) in 2 object(s) allocated from: #0 0x7feaa956ad28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) FRRouting#1 0x7feaa8f670da in qcalloc lib/memory.c:105 FRRouting#2 0x7feaa8fac1d4 in prefix_copy lib/prefix.c:346 FRRouting#3 0x7feaa8ff43e8 in route_node_get lib/table.c:274 FRRouting#4 0x56247cc798c0 in bgp_node_get bgpd/bgp_table.h:236 FRRouting#5 0x56247cc798c0 in bgp_afi_node_get bgpd/bgp_route.c:145 FRRouting#6 0x56247cc92622 in bgp_update bgpd/bgp_route.c:4188 FRRouting#7 0x56247ce55b21 in bgp_nlri_parse_flowspec bgpd/bgp_flowspec.c:193 FRRouting#8 0x56247cc4cdd8 in bgp_nlri_parse bgpd/bgp_packet.c:350 FRRouting#9 0x56247cc4f37c in bgp_update_receive bgpd/bgp_packet.c:2153 FRRouting#10 0x56247cc591e2 in bgp_process_packet bgpd/bgp_packet.c:3214 FRRouting#11 0x7feaa9005b99 in event_call lib/event.c:1979 FRRouting#12 0x7feaa8f4a379 in frr_run lib/libfrr.c:1213 FRRouting#13 0x56247cb51b21 in main bgpd/bgp_main.c:510 FRRouting#14 0x7feaa7f8dc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) SUMMARY: AddressSanitizer: 56 byte(s) leaked in 2 allocation(s). *********************************************************************************** ``` Signed-off-by: Keelan Cannoo <[email protected]> (cherry picked from commit a7fe30e) Conflicts: bgpd/bgp_table.c lib/prefix.c lib/prefix.h lib/table.c Signed-off-by: Louis Scalbert <[email protected]> Signed-off-by: Philippe Guibert <[email protected]>

Upon examining this Indirect leak: Indirect leak of 160 byte(s) in 4 object(s) allocated from: #0 0x7fe4f40b83b7 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77 #1 0x7fe4f3c24c1d in qcalloc lib/memory.c:111 #2 0x7fe4f3c03441 in list_new lib/linklist.c:49 #3 0x564c81d076f9 in ospf_spf_vertex_copy ospfd/ospf_spf.c:335 #4 0x564c81d0bff2 in ospf_spf_copy ospfd/ospf_spf.c:378 #5 0x564c81d158e8 in ospf_ti_lfa_generate_p_space ospfd/ospf_ti_lfa.c:787 #6 0x564c81d162f5 in ospf_ti_lfa_generate_p_spaces ospfd/ospf_ti_lfa.c:923 #7 0x564c81d16532 in ospf_ti_lfa_compute ospfd/ospf_ti_lfa.c:1101 #8 0x564c81d0e942 in ospf_spf_calculate_area ospfd/ospf_spf.c:1811 #9 0x564c81d0eaa6 in ospf_spf_calculate_areas ospfd/ospf_spf.c:1840 #10 0x564c81d0eda2 in ospf_spf_calculate_schedule_worker ospfd/ospf_spf.c:1871 #11 0x7fe4f3cdd7c3 in event_call lib/event.c:2009 #12 0x7fe4f3c027e9 in frr_run lib/libfrr.c:1252 #13 0x564c81c95191 in main ospfd/ospf_main.c:307 #14 0x7fe4f370c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 It was noticed that the vertex has another list that is not being cleanedup. Let's allow this to happen. Signed-off-by: Donald Sharp <[email protected]>

Upon examining this Indirect leak: Indirect leak of 160 byte(s) in 4 object(s) allocated from: #0 0x7fe4f40b83b7 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77 #1 0x7fe4f3c24c1d in qcalloc lib/memory.c:111 #2 0x7fe4f3c03441 in list_new lib/linklist.c:49 #3 0x564c81d076f9 in ospf_spf_vertex_copy ospfd/ospf_spf.c:335 #4 0x564c81d0bff2 in ospf_spf_copy ospfd/ospf_spf.c:378 #5 0x564c81d158e8 in ospf_ti_lfa_generate_p_space ospfd/ospf_ti_lfa.c:787 #6 0x564c81d162f5 in ospf_ti_lfa_generate_p_spaces ospfd/ospf_ti_lfa.c:923 #7 0x564c81d16532 in ospf_ti_lfa_compute ospfd/ospf_ti_lfa.c:1101 #8 0x564c81d0e942 in ospf_spf_calculate_area ospfd/ospf_spf.c:1811 #9 0x564c81d0eaa6 in ospf_spf_calculate_areas ospfd/ospf_spf.c:1840 #10 0x564c81d0eda2 in ospf_spf_calculate_schedule_worker ospfd/ospf_spf.c:1871 #11 0x7fe4f3cdd7c3 in event_call lib/event.c:2009 #12 0x7fe4f3c027e9 in frr_run lib/libfrr.c:1252 #13 0x564c81c95191 in main ospfd/ospf_main.c:307 #14 0x7fe4f370c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 It was noticed that the vertex has another list that is not being cleanedup. Let's allow this to happen. Signed-off-by: Donald Sharp <[email protected]> (cherry picked from commit 2d0f460)

The following crash has happened. > #0 __pthread_kill_implementation (no_tid=0, signo=11, threadid=134363256068544) at ./nptl/pthread_kill.c:44 > FRRouting#1 __pthread_kill_internal (signo=11, threadid=134363256068544) at ./nptl/pthread_kill.c:78 > FRRouting#2 __GI___pthread_kill (threadid=134363256068544, signo=signo@entry=11) at ./nptl/pthread_kill.c:89 > FRRouting#3 0x00007a33e1c42476 in __GI_raise (sig=sig@entry=11) at ../sysdeps/posix/raise.c:26 > FRRouting#4 0x00007a33e210feca in core_handler (signo=11, siginfo=0x7ffd4a405130, context=<optimized out>) at lib/sigevent.c:268 > FRRouting#5 <signal handler called> > FRRouting#6 vpn_leak_to_vrf_update_onevrf (to_bgp=0x5a70a945d9b0, from_bgp=0x5a70a945d9b0, path_vpn=0x5a70a9488b50, prd=0x0, from=0x5a70a9482350) at bgpd/bgp_mplsvpn.c:2256 > FRRouting#7 0x00005a7093ca627c in vpn_leak_to_vrf_update_all (to_bgp=to_bgp@entry=0x5a70a945d9b0, vpn_from=vpn_from@entry=0x5a70a945d9b0, afi=afi@entry=AFI_IP) at bgpd/bgp_mplsvpn.c:2839 > FRRouting#8 0x00005a7093ca789d in vpn_leak_postchange (bgp_vrf=0x5a70a945d9b0, bgp_vpn=0x5a70a945d9b0, afi=AFI_IP, direction=BGP_VPN_POLICY_DIR_FROMVPN) at ./bgpd/bgp_mplsvpn.h:270 > FRRouting#9 vpn_leak_postchange_all () at bgpd/bgp_mplsvpn.c:4001 > FRRouting#10 0x00007a33e2123366 in event_call (thread=thread@entry=0x7ffd4a405a50) at lib/event.c:2005 > FRRouting#11 0x00007a33e20c3828 in frr_run (loop=0x5a70a8c0ff90) at lib/libfrr.c:1252 > FRRouting#12 0x00005a7093c45122 in main (argc=<optimized out>, argv=<optimized out>) at bgpd/bgp_main.c:565 prefix attached to pdest is null. Protect it. Signed-off-by: Philippe Guibert <[email protected]>

The following crash happens on a BGP setup with SRv6 used, when locator is updated with the func-bits value moving from 32 bits to 16 bits. > FRRouting#6 0x000061582b486b5c in memcpy (__len=<optimized out>, __src=<optimized out>, __dest=<optimized out>) > at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29 > FRRouting#7 vpn_leak_from_vrf_update (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040, > path_vrf=path_vrf@entry=0x6158364ef110) at bgpd/bgp_mplsvpn.c:2010 > FRRouting#8 0x000061582b48758b in vpn_leak_from_vrf_update_all (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040, > afi=<optimized out>) at bgpd/bgp_mplsvpn.c:2215 > FRRouting#9 0x000061582b48774d in vpn_leak_postchange (afi=afi@entry=AFI_IP, bgp_vpn=bgp_vpn@entry=0x6158364a0340, > bgp_vrf=bgp_vrf@entry=0x6158364c1040, direction=BGP_VPN_POLICY_DIR_TOVPN) at ./bgpd/bgp_mplsvpn.h:313 > FRRouting#10 0x000061582b489b4b in vpn_leak_postchange (bgp_vrf=0x6158364c1040, bgp_vpn=0x6158364a0340, afi=AFI_IP, direction=BGP_VPN_POLICY_DIR_TOVPN) > at ./bgpd/bgp_mplsvpn.h:273 > FRRouting#11 vpn_leak_postchange_all () at bgpd/bgp_mplsvpn.c:3978 > FRRouting#12 0x000061582b5219d5 in bgp_zebra_process_srv6_locator_delete (cmd=<optimized out>, zclient=<optimized out>, length=<optimized out>, > vrf_id=<optimized out>) at bgpd/bgp_zebra.c:3874 > FRRouting#13 0x0000766887b391ee in zclient_read (thread=<optimized out>) at lib/zclient.c:4804 > FRRouting#14 0x0000766887b2245e in event_call (thread=thread@entry=0x7ffc86531a30) at lib/event.c:2005 > FRRouting#15 0x0000766887ac2ed8 in frr_run (loop=0x615835c46fd0) at lib/libfrr.c:1252 > FRRouting#16 0x000061582b428163 in main (argc=<optimized out>, argv=0x7ffc86531cf8) at bgpd/bgp_main.c:565 > (gdb) > Actually, the SID allocated has been freed after the locator deleted event. Protect this part of code by checking the availability of the sid pointer. Signed-off-by: Philippe Guibert <[email protected]>

The topotest bgp_srv6_sid_explicit generates the crash dump: ERROR: SEGV on unknown address 0x5110002dba30 (pc 0x55a58a813379 bp 0x7ffd2cc8ec50 sp 0x7ffd2cc8ec00 T0) The signal is caused by a READ memory access. #0 0x55a58a813379 in alloc_srv6_sid_func_explicit zebra/zebra_srv6.c:1264 FRRouting#1 0x55a58a815138 in get_srv6_sid_explicit zebra/zebra_srv6.c:1611 FRRouting#2 0x55a58a8166bb in get_srv6_sid zebra/zebra_srv6.c:1807 FRRouting#3 0x55a58a8191ef in srv6_manager_get_sid_internal zebra/zebra_srv6.c:2314 FRRouting#4 0x55a58a80c0aa in hook_call_srv6_manager_get_sid zebra/zebra_srv6.c:67 FRRouting#5 0x55a58a80c671 in srv6_manager_get_sid_call zebra/zebra_srv6.c:115 FRRouting#6 0x55a58a78e956 in zread_srv6_manager_get_srv6_sid zebra/zapi_msg.c:3245 FRRouting#7 0x55a58a78f1d8 in zread_srv6_manager_request zebra/zapi_msg.c:3313 FRRouting#8 0x55a58a799321 in zserv_handle_commands zebra/zapi_msg.c:4425 FRRouting#9 0x55a58a92473c in zserv_process_messages zebra/zserv.c:521 FRRouting#10 0x781c0f978970 in event_call lib/event.c:2011 FRRouting#11 0x781c0f843d11 in frr_run lib/libfrr.c:1219 FRRouting#12 0x55a58a73079d in main zebra/main.c:550 FRRouting#13 0x781c0f22a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 FRRouting#14 0x781c0f22a28a in __libc_start_main_impl ../csu/libc-start.c:360 FRRouting#15 0x55a58a6ec2b4 in _start (/usr/lib/frr/zebra+0x1d02b4) Fixes: 4e4588fa8f ("zebra: Add functions to alloc/release SRv6 SIDs") Signed-off-by: Dmytro Shytyi <[email protected]> Signed-off-by: Philippe Guibert <[email protected]>

The following crash happens on a BGP setup with SRv6 used, when locator is updated with the func-bits value moving from 32 bits to 16 bits. > FRRouting#6 0x000061582b486b5c in memcpy (__len=<optimized out>, __src=<optimized out>, __dest=<optimized out>) > at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29 > FRRouting#7 vpn_leak_from_vrf_update (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040, > path_vrf=path_vrf@entry=0x6158364ef110) at bgpd/bgp_mplsvpn.c:2010 > FRRouting#8 0x000061582b48758b in vpn_leak_from_vrf_update_all (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040, > afi=<optimized out>) at bgpd/bgp_mplsvpn.c:2215 > FRRouting#9 0x000061582b48774d in vpn_leak_postchange (afi=afi@entry=AFI_IP, bgp_vpn=bgp_vpn@entry=0x6158364a0340, > bgp_vrf=bgp_vrf@entry=0x6158364c1040, direction=BGP_VPN_POLICY_DIR_TOVPN) at ./bgpd/bgp_mplsvpn.h:313 > FRRouting#10 0x000061582b489b4b in vpn_leak_postchange (bgp_vrf=0x6158364c1040, bgp_vpn=0x6158364a0340, afi=AFI_IP, direction=BGP_VPN_POLICY_DIR_TOVPN) > at ./bgpd/bgp_mplsvpn.h:273 > FRRouting#11 vpn_leak_postchange_all () at bgpd/bgp_mplsvpn.c:3978 > FRRouting#12 0x000061582b5219d5 in bgp_zebra_process_srv6_locator_delete (cmd=<optimized out>, zclient=<optimized out>, length=<optimized out>, > vrf_id=<optimized out>) at bgpd/bgp_zebra.c:3874 > FRRouting#13 0x0000766887b391ee in zclient_read (thread=<optimized out>) at lib/zclient.c:4804 > FRRouting#14 0x0000766887b2245e in event_call (thread=thread@entry=0x7ffc86531a30) at lib/event.c:2005 > FRRouting#15 0x0000766887ac2ed8 in frr_run (loop=0x615835c46fd0) at lib/libfrr.c:1252 > FRRouting#16 0x000061582b428163 in main (argc=<optimized out>, argv=0x7ffc86531cf8) at bgpd/bgp_main.c:565 > (gdb) > Actually, the SID allocated has been freed after the locator deleted event. Protect this part of code by checking the availability of the sid pointer. Signed-off-by: Philippe Guibert <[email protected]>

The topotest bgp_srv6_sid_explicit generates the crash dump: ERROR: SEGV on unknown address 0x5110002dba30 (pc 0x55a58a813379 bp 0x7ffd2cc8ec50 sp 0x7ffd2cc8ec00 T0) The signal is caused by a READ memory access. #0 0x55a58a813379 in alloc_srv6_sid_func_explicit zebra/zebra_srv6.c:1264 FRRouting#1 0x55a58a815138 in get_srv6_sid_explicit zebra/zebra_srv6.c:1611 FRRouting#2 0x55a58a8166bb in get_srv6_sid zebra/zebra_srv6.c:1807 FRRouting#3 0x55a58a8191ef in srv6_manager_get_sid_internal zebra/zebra_srv6.c:2314 FRRouting#4 0x55a58a80c0aa in hook_call_srv6_manager_get_sid zebra/zebra_srv6.c:67 FRRouting#5 0x55a58a80c671 in srv6_manager_get_sid_call zebra/zebra_srv6.c:115 FRRouting#6 0x55a58a78e956 in zread_srv6_manager_get_srv6_sid zebra/zapi_msg.c:3245 FRRouting#7 0x55a58a78f1d8 in zread_srv6_manager_request zebra/zapi_msg.c:3313 FRRouting#8 0x55a58a799321 in zserv_handle_commands zebra/zapi_msg.c:4425 FRRouting#9 0x55a58a92473c in zserv_process_messages zebra/zserv.c:521 FRRouting#10 0x781c0f978970 in event_call lib/event.c:2011 FRRouting#11 0x781c0f843d11 in frr_run lib/libfrr.c:1219 FRRouting#12 0x55a58a73079d in main zebra/main.c:550 FRRouting#13 0x781c0f22a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 FRRouting#14 0x781c0f22a28a in __libc_start_main_impl ../csu/libc-start.c:360 FRRouting#15 0x55a58a6ec2b4 in _start (/usr/lib/frr/zebra+0x1d02b4) Fixes: 4e4588fa8f ("zebra: Add functions to alloc/release SRv6 SIDs") Signed-off-by: Dmytro Shytyi <[email protected]> Signed-off-by: Philippe Guibert <[email protected]>

The following crash happens on a BGP setup with SRv6 used, when locator is updated with the func-bits value moving from 32 bits to 16 bits. > FRRouting#6 0x000061582b486b5c in memcpy (__len=<optimized out>, __src=<optimized out>, __dest=<optimized out>) > at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29 > FRRouting#7 vpn_leak_from_vrf_update (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040, > path_vrf=path_vrf@entry=0x6158364ef110) at bgpd/bgp_mplsvpn.c:2010 > FRRouting#8 0x000061582b48758b in vpn_leak_from_vrf_update_all (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040, > afi=<optimized out>) at bgpd/bgp_mplsvpn.c:2215 > FRRouting#9 0x000061582b48774d in vpn_leak_postchange (afi=afi@entry=AFI_IP, bgp_vpn=bgp_vpn@entry=0x6158364a0340, > bgp_vrf=bgp_vrf@entry=0x6158364c1040, direction=BGP_VPN_POLICY_DIR_TOVPN) at ./bgpd/bgp_mplsvpn.h:313 > FRRouting#10 0x000061582b489b4b in vpn_leak_postchange (bgp_vrf=0x6158364c1040, bgp_vpn=0x6158364a0340, afi=AFI_IP, direction=BGP_VPN_POLICY_DIR_TOVPN) > at ./bgpd/bgp_mplsvpn.h:273 > FRRouting#11 vpn_leak_postchange_all () at bgpd/bgp_mplsvpn.c:3978 > FRRouting#12 0x000061582b5219d5 in bgp_zebra_process_srv6_locator_delete (cmd=<optimized out>, zclient=<optimized out>, length=<optimized out>, > vrf_id=<optimized out>) at bgpd/bgp_zebra.c:3874 > FRRouting#13 0x0000766887b391ee in zclient_read (thread=<optimized out>) at lib/zclient.c:4804 > FRRouting#14 0x0000766887b2245e in event_call (thread=thread@entry=0x7ffc86531a30) at lib/event.c:2005 > FRRouting#15 0x0000766887ac2ed8 in frr_run (loop=0x615835c46fd0) at lib/libfrr.c:1252 > FRRouting#16 0x000061582b428163 in main (argc=<optimized out>, argv=0x7ffc86531cf8) at bgpd/bgp_main.c:565 > (gdb) > Actually, the SID allocated has been freed after the locator deleted event. Protect this part of code by checking the availability of the sid pointer. Signed-off-by: Philippe Guibert <[email protected]>

bgpd, lib: fix bgpd core on startup

23ac345

Signed-off-by: Quentin Young <[email protected]>

qlyoung closed this Dec 16, 2016

dslicenc mentioned this pull request Feb 6, 2017

zebra and bgp crash at startup in master #170

Closed

qlyoung deleted the bgpd-core-fix branch May 10, 2017 17:41

anithanarasimhamurthy mentioned this pull request May 17, 2017

nhrpd crash on unconfig of nhrp event socket #570

Closed

This was referenced Sep 5, 2017

large-community regex crash #1103

Closed

ospfv3 is failing in topotests #1135

Closed

louberger mentioned this pull request May 15, 2018

Bgpd crash on shutdown when have VRFs and leaked routes #2184

Closed

louberger mentioned this pull request Aug 27, 2018

Abstract void *aggregate pointer in struct route_node #2785

Merged

donaldsharp mentioned this pull request Sep 21, 2018

EIGRP has some bad reads when being shutdown #3065

Closed

mdash-vmware mentioned this pull request Oct 8, 2018

BGPd crashed on 2 routers while running Topotest "test_bgp_l3vpn_to_bgp_vrf.py" #3144

Closed

donaldsharp mentioned this pull request Oct 30, 2018

new Data plane code crashes in CI #3260

Closed

karamalla0406 mentioned this pull request Nov 14, 2018

BGP daemon crash a L2VNI in unconfigured #3333

Closed

vijaykug mentioned this pull request Nov 16, 2018

BGP daemon cored after configuring default-originate in ipv4 label unicast family #3347

Closed

cfra referenced this pull request in opensourcerouting/frr Nov 29, 2018

Merge pull request #12 from opensourcerouting/tgen-log

6b7872c

import Topolog

jasonlittledragon mentioned this pull request Jan 28, 2019

uninstall_element call cause Segmentation fault #3685

Closed

mjstapp mentioned this pull request Mar 5, 2019

Privilege escalation can deadlock #3910

Closed

SathishVenkatesh7 mentioned this pull request Apr 29, 2019

OSPFd: Crashed on Hash table Access on Multiple Scenario's #4223

Closed

louberger mentioned this pull request May 1, 2019

Zebra diet #4236

Merged

kssoman mentioned this pull request Jun 11, 2019

bgpd: Process core when bgp instance is deleted #4499

Merged

karamalla0406 mentioned this pull request Sep 18, 2019

"show bgp l2vpn evpn neighbors 52.1.1.1 advertised-routes json" command results in BGP daemon crash #5010

Closed

donaldsharp mentioned this pull request Sep 20, 2019

BGP VNC is crashing in our Address Sanitizer tests #5025

Closed

donaldsharp mentioned this pull request Nov 1, 2019

bgpd: Prevent usage after free in bgp_mac.c #5260

Merged

louberger mentioned this pull request Nov 3, 2019

bgpd: Send "Peer De-configured" notification before closing the socket #5273

Closed

donaldsharp mentioned this pull request Oct 7, 2025

ospfd: On cleanup, actually free vertexes #19686

Merged

mergify bot mentioned this pull request Oct 7, 2025

ospfd: On cleanup, actually free vertexes (backport #19686) #19687

Closed

This was referenced Oct 7, 2025

ospfd: On cleanup, actually free vertexes (backport #19686) #19688

Closed

ospfd: On cleanup, actually free vertexes (backport #19686) #19689

Closed

soumyar-roy mentioned this pull request Oct 29, 2025

bgpd: Crash due to usage of freed up evpn_overlay attr #19879

Merged

Shbinging mentioned this pull request Dec 25, 2025

isisd: crash in unpack_tlv_router_cap via stream_getc assertion failure #20329

Closed

2 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

bgpd, lib: fix bgpd core on startup #12

bgpd, lib: fix bgpd core on startup #12

Uh oh!

qlyoung commented Dec 16, 2016 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

bgpd, lib: fix bgpd core on startup #12

bgpd, lib: fix bgpd core on startup #12

Uh oh!

Conversation

qlyoung commented Dec 16, 2016 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

qlyoung commented Dec 16, 2016 •

edited

Loading