bgpd: Do not try to reuse freed route-maps (backport #19191) #19203
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is actually happening when adding/deleting a route-map which is already assigned to the peer, e.g.: ``` vtysh -c 'enable' -c 'config terminal' -c 'route-map 1735210719119015328 permit 10' -c 'set local-preference 100' -c end vtysh -c 'enable' -c 'clear ip bgp vrf default 10.10.10.20 soft' vtysh -c 'enable' -c 'config terminal' -c 'no route-map 1735210719119015328' -c end vtysh -c 'enable' -c 'config terminal' -c 'route-map 1735210719119015328 permit 10' -c 'set local-preference 100' -c end vtysh -c 'enable' -c 'config terminal' -c 'no route-map 1735210719119015328' -c end vtysh -c 'enable' -c 'config terminal' -c 'route-map 1735210719119015328 permit 10' -c 'set local-preference 100' -c end exabgpcli announce route 10.0.104.0/24 next-hop self ``` This results in: ``` ==51773==ERROR: AddressSanitizer: heap-use-after-free on address 0x50c00009da88 at pc 0x73aaa151af77 bp 0x7ffeba229410 sp 0x7ffeba229400 READ of size 8 at 0x50c00009da88 thread T0 0 0x73aaa151af76 in route_map_apply_ext lib/routemap.c:2593 1 0x6288268ad13c in bgp_input_modifier bgpd/bgp_route.c:1927 2 0x6288268c759d in bgp_update bgpd/bgp_route.c:5233 3 0x6288268d5bb4 in bgp_nlri_parse_ip bgpd/bgp_route.c:7305 4 0x62882684df88 in bgp_nlri_parse bgpd/bgp_packet.c:338 5 0x62882685eb28 in bgp_update_receive bgpd/bgp_packet.c:2462 6 0x62882686f071 in bgp_process_packet bgpd/bgp_packet.c:4089 7 0x73aaa159db5e in event_call lib/event.c:2005 8 0x73aaa13f8b63 in frr_run lib/libfrr.c:1252 9 0x62882667d705 in main bgpd/bgp_main.c:565 10 0x73aaa0c2a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 11 0x73aaa0c2a28a in __libc_start_main_impl ../csu/libc-start.c:360 12 0x628826678844 in _start (/usr/lib/frr/bgpd+0x4af844) (BuildId: a3f60fa98b856e76fb8a57aaf29d053f28e1b78c) 0x50c00009da88 is located 8 bytes inside of 128-byte region [0x50c00009da80,0x50c00009db00) freed by thread T0 here: 0 0x73aaa1cfc4d8 in free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52 1 0x73aaa143a392 in qfree lib/memory.c:136 2 0x73aaa150fdf0 in route_map_free_map lib/routemap.c:748 3 0x73aaa150f5dc in route_map_add lib/routemap.c:672 4 0x73aaa15108e5 in route_map_get lib/routemap.c:857 5 0x73aaa1538c83 in lib_route_map_create lib/routemap_northbound.c:102 6 0x73aaa14958e9 in nb_callback_create lib/northbound.c:1547 7 0x73aaa1499c3e in nb_callback_configuration lib/northbound.c:1958 8 0x73aaa149a9fd in nb_transaction_process lib/northbound.c:2091 9 0x73aaa1494646 in nb_candidate_commit_apply lib/northbound.c:1409 10 0x73aaa1494a21 in nb_candidate_commit lib/northbound.c:1449 11 0x73aaa14aaf3d in nb_cli_classic_commit lib/northbound_cli.c:57 12 0x73aaa14ac226 in nb_cli_apply_changes_internal lib/northbound_cli.c:195 13 0x73aaa14acaa5 in _nb_cli_apply_changes lib/northbound_cli.c:251 14 0x73aaa14acdb5 in nb_cli_apply_changes lib/northbound_cli.c:267 15 0x73aaa152dac3 in route_map_magic lib/routemap_cli.c:49 16 0x73aaa1520e2b in route_map lib/routemap_cli_clippy.c:69 17 0x73aaa132fe4a in cmd_execute_command_real lib/command.c:1010 18 0x73aaa13302e9 in cmd_execute_command lib/command.c:1069 19 0x73aaa133142e in cmd_execute lib/command.c:1235 20 0x73aaa15b354e in vty_command lib/vty.c:617 21 0x73aaa15b95a0 in vty_execute lib/vty.c:1380 22 0x73aaa15c146b in vtysh_read lib/vty.c:2391 23 0x73aaa159db5e in event_call lib/event.c:2005 24 0x73aaa13f8b63 in frr_run lib/libfrr.c:1252 25 0x62882667d705 in main bgpd/bgp_main.c:565 26 0x73aaa0c2a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 27 0x73aaa0c2a28a in __libc_start_main_impl ../csu/libc-start.c:360 28 0x628826678844 in _start (/usr/lib/frr/bgpd+0x4af844) (BuildId: a3f60fa98b856e76fb8a57aaf29d053f28e1b78c) previously allocated by thread T0 here: 0 0x73aaa1cfd340 in calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77 1 0x73aaa143a126 in qcalloc lib/memory.c:111 2 0x73aaa150f424 in route_map_new lib/routemap.c:646 3 0x73aaa150f4ed in route_map_add lib/routemap.c:658 4 0x73aaa15108e5 in route_map_get lib/routemap.c:857 5 0x73aaa1538c83 in lib_route_map_create lib/routemap_northbound.c:102 6 0x73aaa14958e9 in nb_callback_create lib/northbound.c:1547 7 0x73aaa1499c3e in nb_callback_configuration lib/northbound.c:1958 8 0x73aaa149a9fd in nb_transaction_process lib/northbound.c:2091 9 0x73aaa1494646 in nb_candidate_commit_apply lib/northbound.c:1409 10 0x73aaa1494a21 in nb_candidate_commit lib/northbound.c:1449 11 0x73aaa14aaf3d in nb_cli_classic_commit lib/northbound_cli.c:57 12 0x73aaa14ac226 in nb_cli_apply_changes_internal lib/northbound_cli.c:195 13 0x73aaa14acaa5 in _nb_cli_apply_changes lib/northbound_cli.c:251 14 0x73aaa14acdb5 in nb_cli_apply_changes lib/northbound_cli.c:267 15 0x73aaa152dac3 in route_map_magic lib/routemap_cli.c:49 16 0x73aaa1520e2b in route_map lib/routemap_cli_clippy.c:69 17 0x73aaa132fe4a in cmd_execute_command_real lib/command.c:1010 18 0x73aaa13302e9 in cmd_execute_command lib/command.c:1069 19 0x73aaa133142e in cmd_execute lib/command.c:1235 20 0x73aaa15b354e in vty_command lib/vty.c:617 21 0x73aaa15b95a0 in vty_execute lib/vty.c:1380 22 0x73aaa15c146b in vtysh_read lib/vty.c:2391 23 0x73aaa159db5e in event_call lib/event.c:2005 24 0x73aaa13f8b63 in frr_run lib/libfrr.c:1252 25 0x62882667d705 in main bgpd/bgp_main.c:565 26 0x73aaa0c2a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 27 0x73aaa0c2a28a in __libc_start_main_impl ../csu/libc-start.c:360 28 0x628826678844 in _start (/usr/lib/frr/bgpd+0x4af844) (BuildId: a3f60fa98b856e76fb8a57aaf29d053f28e1b78c) ``` Signed-off-by: Donatas Abraitis <[email protected]> (cherry picked from commit f4f5c34)
…-map Signed-off-by: Donatas Abraitis <[email protected]> (cherry picked from commit 9759af9)
Member
|
I don't think the CI is going to pass on this one ... changes in the data structure |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is an automatic backport of pull request #19191 done by [Mergify](https://mergify.com).