bgpd: Do not try to reuse freed route-maps #19191
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is actually happening when adding/deleting a route-map which is already assigned to the peer, e.g.: ``` vtysh -c 'enable' -c 'config terminal' -c 'route-map 1735210719119015328 permit 10' -c 'set local-preference 100' -c end vtysh -c 'enable' -c 'clear ip bgp vrf default 10.10.10.20 soft' vtysh -c 'enable' -c 'config terminal' -c 'no route-map 1735210719119015328' -c end vtysh -c 'enable' -c 'config terminal' -c 'route-map 1735210719119015328 permit 10' -c 'set local-preference 100' -c end vtysh -c 'enable' -c 'config terminal' -c 'no route-map 1735210719119015328' -c end vtysh -c 'enable' -c 'config terminal' -c 'route-map 1735210719119015328 permit 10' -c 'set local-preference 100' -c end exabgpcli announce route 10.0.104.0/24 next-hop self ``` This results in: ``` ==51773==ERROR: AddressSanitizer: heap-use-after-free on address 0x50c00009da88 at pc 0x73aaa151af77 bp 0x7ffeba229410 sp 0x7ffeba229400 READ of size 8 at 0x50c00009da88 thread T0 0 0x73aaa151af76 in route_map_apply_ext lib/routemap.c:2593 1 0x6288268ad13c in bgp_input_modifier bgpd/bgp_route.c:1927 2 0x6288268c759d in bgp_update bgpd/bgp_route.c:5233 3 0x6288268d5bb4 in bgp_nlri_parse_ip bgpd/bgp_route.c:7305 4 0x62882684df88 in bgp_nlri_parse bgpd/bgp_packet.c:338 5 0x62882685eb28 in bgp_update_receive bgpd/bgp_packet.c:2462 6 0x62882686f071 in bgp_process_packet bgpd/bgp_packet.c:4089 7 0x73aaa159db5e in event_call lib/event.c:2005 8 0x73aaa13f8b63 in frr_run lib/libfrr.c:1252 9 0x62882667d705 in main bgpd/bgp_main.c:565 10 0x73aaa0c2a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 11 0x73aaa0c2a28a in __libc_start_main_impl ../csu/libc-start.c:360 12 0x628826678844 in _start (/usr/lib/frr/bgpd+0x4af844) (BuildId: a3f60fa98b856e76fb8a57aaf29d053f28e1b78c) 0x50c00009da88 is located 8 bytes inside of 128-byte region [0x50c00009da80,0x50c00009db00) freed by thread T0 here: 0 0x73aaa1cfc4d8 in free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52 1 0x73aaa143a392 in qfree lib/memory.c:136 2 0x73aaa150fdf0 in route_map_free_map lib/routemap.c:748 3 0x73aaa150f5dc in route_map_add lib/routemap.c:672 4 0x73aaa15108e5 in route_map_get lib/routemap.c:857 5 0x73aaa1538c83 in lib_route_map_create lib/routemap_northbound.c:102 6 0x73aaa14958e9 in nb_callback_create lib/northbound.c:1547 7 0x73aaa1499c3e in nb_callback_configuration lib/northbound.c:1958 8 0x73aaa149a9fd in nb_transaction_process lib/northbound.c:2091 9 0x73aaa1494646 in nb_candidate_commit_apply lib/northbound.c:1409 10 0x73aaa1494a21 in nb_candidate_commit lib/northbound.c:1449 11 0x73aaa14aaf3d in nb_cli_classic_commit lib/northbound_cli.c:57 12 0x73aaa14ac226 in nb_cli_apply_changes_internal lib/northbound_cli.c:195 13 0x73aaa14acaa5 in _nb_cli_apply_changes lib/northbound_cli.c:251 14 0x73aaa14acdb5 in nb_cli_apply_changes lib/northbound_cli.c:267 15 0x73aaa152dac3 in route_map_magic lib/routemap_cli.c:49 16 0x73aaa1520e2b in route_map lib/routemap_cli_clippy.c:69 17 0x73aaa132fe4a in cmd_execute_command_real lib/command.c:1010 18 0x73aaa13302e9 in cmd_execute_command lib/command.c:1069 19 0x73aaa133142e in cmd_execute lib/command.c:1235 20 0x73aaa15b354e in vty_command lib/vty.c:617 21 0x73aaa15b95a0 in vty_execute lib/vty.c:1380 22 0x73aaa15c146b in vtysh_read lib/vty.c:2391 23 0x73aaa159db5e in event_call lib/event.c:2005 24 0x73aaa13f8b63 in frr_run lib/libfrr.c:1252 25 0x62882667d705 in main bgpd/bgp_main.c:565 26 0x73aaa0c2a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 27 0x73aaa0c2a28a in __libc_start_main_impl ../csu/libc-start.c:360 28 0x628826678844 in _start (/usr/lib/frr/bgpd+0x4af844) (BuildId: a3f60fa98b856e76fb8a57aaf29d053f28e1b78c) previously allocated by thread T0 here: 0 0x73aaa1cfd340 in calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77 1 0x73aaa143a126 in qcalloc lib/memory.c:111 2 0x73aaa150f424 in route_map_new lib/routemap.c:646 3 0x73aaa150f4ed in route_map_add lib/routemap.c:658 4 0x73aaa15108e5 in route_map_get lib/routemap.c:857 5 0x73aaa1538c83 in lib_route_map_create lib/routemap_northbound.c:102 6 0x73aaa14958e9 in nb_callback_create lib/northbound.c:1547 7 0x73aaa1499c3e in nb_callback_configuration lib/northbound.c:1958 8 0x73aaa149a9fd in nb_transaction_process lib/northbound.c:2091 9 0x73aaa1494646 in nb_candidate_commit_apply lib/northbound.c:1409 10 0x73aaa1494a21 in nb_candidate_commit lib/northbound.c:1449 11 0x73aaa14aaf3d in nb_cli_classic_commit lib/northbound_cli.c:57 12 0x73aaa14ac226 in nb_cli_apply_changes_internal lib/northbound_cli.c:195 13 0x73aaa14acaa5 in _nb_cli_apply_changes lib/northbound_cli.c:251 14 0x73aaa14acdb5 in nb_cli_apply_changes lib/northbound_cli.c:267 15 0x73aaa152dac3 in route_map_magic lib/routemap_cli.c:49 16 0x73aaa1520e2b in route_map lib/routemap_cli_clippy.c:69 17 0x73aaa132fe4a in cmd_execute_command_real lib/command.c:1010 18 0x73aaa13302e9 in cmd_execute_command lib/command.c:1069 19 0x73aaa133142e in cmd_execute lib/command.c:1235 20 0x73aaa15b354e in vty_command lib/vty.c:617 21 0x73aaa15b95a0 in vty_execute lib/vty.c:1380 22 0x73aaa15c146b in vtysh_read lib/vty.c:2391 23 0x73aaa159db5e in event_call lib/event.c:2005 24 0x73aaa13f8b63 in frr_run lib/libfrr.c:1252 25 0x62882667d705 in main bgpd/bgp_main.c:565 26 0x73aaa0c2a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 27 0x73aaa0c2a28a in __libc_start_main_impl ../csu/libc-start.c:360 28 0x628826678844 in _start (/usr/lib/frr/bgpd+0x4af844) (BuildId: a3f60fa98b856e76fb8a57aaf29d053f28e1b78c) ``` Signed-off-by: Donatas Abraitis <[email protected]>
Member
Author
|
@Mergifyio backport stable/10.4 stable/10.3 stable/10.2 stable/10.1 stable/10.0 |
✅ Backports have been createdDetails
|
mjstapp
reviewed
Jul 14, 2025
ton31337
force-pushed
the
fix/crash_rmap_delete_add_fast
branch
from
ed2c5fc to
0cc28a6
Compare
…-map Signed-off-by: Donatas Abraitis <[email protected]>
ton31337
force-pushed
the
fix/crash_rmap_delete_add_fast
branch
from
0cc28a6 to
9759af9
Compare
This was referenced Jul 15, 2025
riw777
added a commit
that referenced
this pull request
Jul 15, 2025
bgpd: Do not try to reuse freed route-maps (backport #19191)
mjstapp
added a commit
that referenced
this pull request
Jul 15, 2025
bgpd: Do not try to reuse freed route-maps (backport #19191)
mjstapp
added a commit
that referenced
this pull request
Jul 15, 2025
bgpd: Do not try to reuse freed route-maps (backport #19191)
donaldsharp
added a commit
that referenced
this pull request
Jul 15, 2025
bgpd: Do not try to reuse freed route-maps (backport #19191)
donaldsharp
added a commit
that referenced
this pull request
Jul 15, 2025
bgpd: Do not try to reuse freed route-maps (backport #19191)
ton31337
added a commit
to opensourcerouting/frr
that referenced
this pull request
Aug 2, 2025
* bgpd: correct no form commands (backport FRRouting#18911) * bgpd: fix to show exist/non-exist-map in 'show run' properly FRRouting#18853 * redhat: make FRR RPM build to work on RedHat 10 (backport FRRouting#18920) * build: check for libunwind.h, not unwind.h (backport FRRouting#18912) * bgpd: use AS4B format for BGP loc-rib messages. (backport FRRouting#18936) * bgpd: fix for the validity and the presence of prefixes in the BGP VPN table. (backport FRRouting#17370) * bgpd: Force adj-rib-out updates if MRAI is kicked in (backport FRRouting#18959) * zebra: Provide SID value when sending SRv6 SID release notify message (backport FRRouting#18971) * bgpd: Fix crash when fetching statistics for bgp instance (backport FRRouting#19003) * nhrpd: fix crash when accessing invalid memory zone (backport FRRouting#18994) * zebra: Initialize RB tree for router tables (backport FRRouting#19049) * zebra: fix null pointer dereference in zebra_evpn_sync_neigh_del (backport FRRouting#19054) * zebra: fix stale NHG in kernel (backport FRRouting#18899) * bgpd: Fix incorrect stripping of transitive extended communities (backport FRRouting#19065) * lib: Fix no on-match goto NUM command (backport FRRouting#19108) * bgpd: Fix extended community check for IP non-transitive type (backport FRRouting#19097) * bgpd: Fix DEREF_OF_NULL.EX.COND in bgp_updgrp_packet (backport FRRouting#19126) * lib: revert addition of vtysh_flush() call in vty_out() (backport FRRouting#19109) * bgpd: Extract link bandwidth value from extcommunity before using for WCMP (backport FRRouting#19165) * Use ipv4 class E addresses (240.0.0.0/4) as connected routes by default (backport FRRouting#18095) * bfdd: Set bfd.LocalDiag when transitioning to AdminDown (backport FRRouting#18592) * zebra: clean up a json object leak (backport FRRouting#19192) * bgpd: Do not try to reuse freed route-maps (backport FRRouting#19191) * lib: fix routemap crash (backport FRRouting#19127) * bgpd: initialize local variable (backport FRRouting#19233) * ospfd: Use after free cleanup of lsa (backport FRRouting#19224) * vtysh: copy config from file should actually apply (backport FRRouting#19242) * bgpd : Fix compilation error in bgpd module: Update TP_ARGS for bgp (backport FRRouting#19266) * bgpd: Ensure addpath does not withdraw selected route in some situations (backport FRRouting#19210) * lib, zebra: mark singleton nexthops inactive/active on link state changes for wecmp (backport FRRouting#18947) * eigrp: validate hello packets and tlvs better (backport FRRouting#19251) * bgpd: [GR] fixed selectionDeferralTimer to display select_defer_time val FRRouting#19283 Signed-off-by: Donatas Abraitis <[email protected]>
ton31337
added a commit
to opensourcerouting/frr
that referenced
this pull request
Aug 2, 2025
* bgpd: correct no form commands (backport FRRouting#18911) * build: check for libunwind.h, not unwind.h (backport FRRouting#18912) * redhat: make FRR RPM build to work on RedHat 10 (backport FRRouting#18920) * bgpd: use AS4B format for BGP loc-rib messages. (backport FRRouting#18936) * bgpd: Force adj-rib-out updates if MRAI is kicked in (backport FRRouting#18959) * zebra: Provide SID value when sending SRv6 SID release notify message (backport FRRouting#18971) * nhrpd: fix crash when accessing invalid memory zone (backport FRRouting#18994) * lib: Fix no on-match goto NUM command (backport FRRouting#19108) * bgpd: Fix DEREF_OF_NULL.EX.COND in bgp_updgrp_packet (backport FRRouting#19126) * bgpd: Extract link bandwidth value from extcommunity before using for WCMP (backport FRRouting#19165) * bfdd: Set bfd.LocalDiag when transitioning to AdminDown (backport FRRouting#18592) * bgpd: Do not try to reuse freed route-maps (backport FRRouting#19191) * lib: fix routemap crash (backport FRRouting#19127) * lib, zebra: mark singleton nexthops inactive/active on link state changes for wecmp (backport FRRouting#18947) * bgpd: [GR] fixed selectionDeferralTimer to display select_defer_time val FRRouting#19284 Signed-off-by: Donatas Abraitis <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.