bgpd: Fix 'show ip bgp summary' variable output being wrong #8
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The first time through calling 'show ip bgp summary' we were always calculating the variable hostname field size incorrectly. Ticket: CM-13900 Signed-off-by: Donald Sharp <[email protected]>
This was referenced Sep 5, 2017
Merged
This was referenced May 14, 2018
rwestphal
referenced
this pull request
in opensourcerouting/frr
Feb 21, 2019
If path->net is NULL in the bgp_path_info_free() function, then bgpd would crash in bgp_addpath_free_info_data() with the following backtrace: (gdb) bt #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51 #1 0x00007ff7b267a42a in __GI_abort () at abort.c:89 #2 0x00007ff7b39c1ca0 in core_handler (signo=11, siginfo=0x7ffff66414f0, context=<optimized out>) at lib/sigevent.c:249 #3 <signal handler called> #4 idalloc_free_to_pool (pool_ptr=pool_ptr@entry=0x0, id=3) at lib/id_alloc.c:368 #5 0x0000560096246688 in bgp_addpath_free_info_data (d=d@entry=0x560098665468, nd=0x0) at bgpd/bgp_addpath.c:100 #6 0x00005600961bb522 in bgp_path_info_free (path=0x560098665400) at bgpd/bgp_route.c:252 #7 bgp_path_info_unlock (path=0x560098665400) at bgpd/bgp_route.c:276 #8 0x00005600961bb719 in bgp_path_info_reap (rn=rn@entry=0x5600986b2110, pi=pi@entry=0x560098665400) at bgpd/bgp_route.c:320 #9 0x00005600961bf4db in bgp_process_main_one (safi=SAFI_MPLS_VPN, afi=AFI_IP, rn=0x5600986b2110, bgp=0x560098587320) at bgpd/bgp_route.c:2476 #10 bgp_process_wq (wq=<optimized out>, data=0x56009869b8f0) at bgpd/bgp_route.c:2503 #11 0x00007ff7b39d5fcc in work_queue_run (thread=0x7ffff6641e10) at lib/workqueue.c:294 #12 0x00007ff7b39ce3b1 in thread_call (thread=thread@entry=0x7ffff6641e10) at lib/thread.c:1606 #13 0x00007ff7b39a3538 in frr_run (master=0x5600980795b0) at lib/libfrr.c:1011 #14 0x000056009618a5a3 in main (argc=3, argv=0x7ffff6642078) at bgpd/bgp_main.c:481 Add a null-check protection to fix this problem. Signed-off-by: Renato Westphal <[email protected]>
rwestphal
referenced
this pull request
in opensourcerouting/frr
Feb 21, 2019
If path->net is NULL in the bgp_path_info_free() function, then bgpd would crash in bgp_addpath_free_info_data() with the following backtrace: (gdb) bt #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51 #1 0x00007ff7b267a42a in __GI_abort () at abort.c:89 #2 0x00007ff7b39c1ca0 in core_handler (signo=11, siginfo=0x7ffff66414f0, context=<optimized out>) at lib/sigevent.c:249 #3 <signal handler called> #4 idalloc_free_to_pool (pool_ptr=pool_ptr@entry=0x0, id=3) at lib/id_alloc.c:368 #5 0x0000560096246688 in bgp_addpath_free_info_data (d=d@entry=0x560098665468, nd=0x0) at bgpd/bgp_addpath.c:100 #6 0x00005600961bb522 in bgp_path_info_free (path=0x560098665400) at bgpd/bgp_route.c:252 #7 bgp_path_info_unlock (path=0x560098665400) at bgpd/bgp_route.c:276 #8 0x00005600961bb719 in bgp_path_info_reap (rn=rn@entry=0x5600986b2110, pi=pi@entry=0x560098665400) at bgpd/bgp_route.c:320 #9 0x00005600961bf4db in bgp_process_main_one (safi=SAFI_MPLS_VPN, afi=AFI_IP, rn=0x5600986b2110, bgp=0x560098587320) at bgpd/bgp_route.c:2476 #10 bgp_process_wq (wq=<optimized out>, data=0x56009869b8f0) at bgpd/bgp_route.c:2503 #11 0x00007ff7b39d5fcc in work_queue_run (thread=0x7ffff6641e10) at lib/workqueue.c:294 #12 0x00007ff7b39ce3b1 in thread_call (thread=thread@entry=0x7ffff6641e10) at lib/thread.c:1606 #13 0x00007ff7b39a3538 in frr_run (master=0x5600980795b0) at lib/libfrr.c:1011 #14 0x000056009618a5a3 in main (argc=3, argv=0x7ffff6642078) at bgpd/bgp_main.c:481 Add a null-check protection to fix this problem. Signed-off-by: Renato Westphal <[email protected]>
Pdoijode
added a commit
to Pdoijode/frr
that referenced
this pull request
Nov 19, 2025
Error:
ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000ef8a0 at pc 0x555df66ba094 bp 0x7ffc13d67240 sp 0x7ffc13d67238
READ of size 4 at 0x6070000ef8a0 thread T0
#0 0x555df66ba093 in zebra_gr_delete_stale_route_table_afi zebra/zebra_gr.c:514
FRRouting#1 0x7fd33d6db06e in event_call lib/event.c:2013
FRRouting#2 0x7fd33d5fffa1 in frr_run lib/libfrr.c:1257
FRRouting#3 0x555df66531ec in main zebra/main.c:552
FRRouting#4 0x7fd33d10c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
FRRouting#5 0x7fd33d10c304 in __libc_start_main_impl ../csu/libc-start.c:360
FRRouting#6 0x555df6626b40 in _start (/usr/lib/frr/zebra+0x1a1b40)
0x6070000ef8a0 is located 0 bytes inside of 72-byte region [0x6070000ef8a0,0x6070000ef8e8)
freed by thread T0 here:
#0 0x7fd33dab76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
FRRouting#1 0x7fd33d622cd5 in qfree lib/memory.c:136
FRRouting#2 0x555df66b9e5f in zebra_gr_client_info_delete zebra/zebra_gr.c:130
FRRouting#3 0x555df66bc66f in zread_client_capabilities zebra/zebra_gr.c:355
FRRouting#4 0x555df66a025c in zserv_handle_commands zebra/zapi_msg.c:4228
FRRouting#5 0x555df67cde33 in zserv_process_messages zebra/zserv.c:565
FRRouting#6 0x7fd33d6db06e in event_call lib/event.c:2013
FRRouting#7 0x7fd33d5fffa1 in frr_run lib/libfrr.c:1257
FRRouting#8 0x555df66531ec in main zebra/main.c:552
FRRouting#9 0x7fd33d10c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
previously allocated by thread T0 here:
#0 0x7fd33dab83b7 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
FRRouting#1 0x7fd33d6223e2 in qcalloc lib/memory.c:111
FRRouting#2 0x555df66bbace in zebra_gr_client_info_create zebra/zebra_gr.c:101
FRRouting#3 0x555df66bbace in zread_client_capabilities zebra/zebra_gr.c:360
FRRouting#4 0x555df66a025c in zserv_handle_commands zebra/zapi_msg.c:4228
FRRouting#5 0x555df67cde33 in zserv_process_messages zebra/zserv.c:565
FRRouting#6 0x7fd33d6db06e in event_call lib/event.c:2013
FRRouting#7 0x7fd33d5fffa1 in frr_run lib/libfrr.c:1257
FRRouting#8 0x555df66531ec in main zebra/main.c:552
FRRouting#9 0x7fd33d10c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
Signed-off-by: Pooja Jagadeesh Doijode <[email protected]>
Pdoijode
added a commit
to Pdoijode/frr
that referenced
this pull request
Nov 19, 2025
Error:
ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000ef8a0 at pc 0x555df66ba094 bp 0x7ffc13d67240 sp 0x7ffc13d67238
READ of size 4 at 0x6070000ef8a0 thread T0
#0 0x555df66ba093 in zebra_gr_delete_stale_route_table_afi zebra/zebra_gr.c:514
FRRouting#1 0x7fd33d6db06e in event_call lib/event.c:2013
FRRouting#2 0x7fd33d5fffa1 in frr_run lib/libfrr.c:1257
FRRouting#3 0x555df66531ec in main zebra/main.c:552
FRRouting#4 0x7fd33d10c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
FRRouting#5 0x7fd33d10c304 in __libc_start_main_impl ../csu/libc-start.c:360
FRRouting#6 0x555df6626b40 in _start (/usr/lib/frr/zebra+0x1a1b40)
0x6070000ef8a0 is located 0 bytes inside of 72-byte region [0x6070000ef8a0,0x6070000ef8e8)
freed by thread T0 here:
#0 0x7fd33dab76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
FRRouting#1 0x7fd33d622cd5 in qfree lib/memory.c:136
FRRouting#2 0x555df66b9e5f in zebra_gr_client_info_delete zebra/zebra_gr.c:130
FRRouting#3 0x555df66bc66f in zread_client_capabilities zebra/zebra_gr.c:355
FRRouting#4 0x555df66a025c in zserv_handle_commands zebra/zapi_msg.c:4228
FRRouting#5 0x555df67cde33 in zserv_process_messages zebra/zserv.c:565
FRRouting#6 0x7fd33d6db06e in event_call lib/event.c:2013
FRRouting#7 0x7fd33d5fffa1 in frr_run lib/libfrr.c:1257
FRRouting#8 0x555df66531ec in main zebra/main.c:552
FRRouting#9 0x7fd33d10c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
previously allocated by thread T0 here:
#0 0x7fd33dab83b7 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
FRRouting#1 0x7fd33d6223e2 in qcalloc lib/memory.c:111
FRRouting#2 0x555df66bbace in zebra_gr_client_info_create zebra/zebra_gr.c:101
FRRouting#3 0x555df66bbace in zread_client_capabilities zebra/zebra_gr.c:360
FRRouting#4 0x555df66a025c in zserv_handle_commands zebra/zapi_msg.c:4228
FRRouting#5 0x555df67cde33 in zserv_process_messages zebra/zserv.c:565
FRRouting#6 0x7fd33d6db06e in event_call lib/event.c:2013
FRRouting#7 0x7fd33d5fffa1 in frr_run lib/libfrr.c:1257
FRRouting#8 0x555df66531ec in main zebra/main.c:552
FRRouting#9 0x7fd33d10c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
Signed-off-by: Pooja Jagadeesh Doijode <[email protected]>
Pdoijode
added a commit
to Pdoijode/frr
that referenced
this pull request
Nov 25, 2025
Error:
ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000ef8a0 at pc 0x555df66ba094 bp 0x7ffc13d67240 sp 0x7ffc13d67238
READ of size 4 at 0x6070000ef8a0 thread T0
#0 0x555df66ba093 in zebra_gr_delete_stale_route_table_afi zebra/zebra_gr.c:514
FRRouting#1 0x7fd33d6db06e in event_call lib/event.c:2013
FRRouting#2 0x7fd33d5fffa1 in frr_run lib/libfrr.c:1257
FRRouting#3 0x555df66531ec in main zebra/main.c:552
FRRouting#4 0x7fd33d10c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
FRRouting#5 0x7fd33d10c304 in __libc_start_main_impl ../csu/libc-start.c:360
FRRouting#6 0x555df6626b40 in _start (/usr/lib/frr/zebra+0x1a1b40)
0x6070000ef8a0 is located 0 bytes inside of 72-byte region [0x6070000ef8a0,0x6070000ef8e8)
freed by thread T0 here:
#0 0x7fd33dab76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
FRRouting#1 0x7fd33d622cd5 in qfree lib/memory.c:136
FRRouting#2 0x555df66b9e5f in zebra_gr_client_info_delete zebra/zebra_gr.c:130
FRRouting#3 0x555df66bc66f in zread_client_capabilities zebra/zebra_gr.c:355
FRRouting#4 0x555df66a025c in zserv_handle_commands zebra/zapi_msg.c:4228
FRRouting#5 0x555df67cde33 in zserv_process_messages zebra/zserv.c:565
FRRouting#6 0x7fd33d6db06e in event_call lib/event.c:2013
FRRouting#7 0x7fd33d5fffa1 in frr_run lib/libfrr.c:1257
FRRouting#8 0x555df66531ec in main zebra/main.c:552
FRRouting#9 0x7fd33d10c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
previously allocated by thread T0 here:
#0 0x7fd33dab83b7 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
FRRouting#1 0x7fd33d6223e2 in qcalloc lib/memory.c:111
FRRouting#2 0x555df66bbace in zebra_gr_client_info_create zebra/zebra_gr.c:101
FRRouting#3 0x555df66bbace in zread_client_capabilities zebra/zebra_gr.c:360
FRRouting#4 0x555df66a025c in zserv_handle_commands zebra/zapi_msg.c:4228
FRRouting#5 0x555df67cde33 in zserv_process_messages zebra/zserv.c:565
FRRouting#6 0x7fd33d6db06e in event_call lib/event.c:2013
FRRouting#7 0x7fd33d5fffa1 in frr_run lib/libfrr.c:1257
FRRouting#8 0x555df66531ec in main zebra/main.c:552
FRRouting#9 0x7fd33d10c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
Signed-off-by: Pooja Jagadeesh Doijode <[email protected]>
pguibert6WIND
added a commit
to pguibert6WIND/frr
that referenced
this pull request
Dec 2, 2025
The following crash happens, when moving from level-2 to level-1 an isis flex-algorithm configuration > warning: 44 ./nptl/pthread_kill.c: No such file or directory > [Current thread is 1 (Thread 0x7108d4cb2980 (LWP 1023))] > (gdb) bt > #0 __pthread_kill_implementation (no_tid=0, signo=11, > threadid=<optimized out>) at ./nptl/pthread_kill.c:44 > FRRouting#1 __pthread_kill_internal (signo=11, threadid=<optimized out>) > at ./nptl/pthread_kill.c:78 > FRRouting#2 __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=11) > at ./nptl/pthread_kill.c:89 > FRRouting#3 0x00007108d3e4527e in __GI_raise (sig=11) at ../sysdeps/posix/raise.c:26 > FRRouting#4 0x00007108d4b44926 in core_handler (signo=11, siginfo=0x7ffe7c10fb30, > context=0x7ffe7c10fa00) > at /build/make-pkg/output/_packages/cp-routing/src/lib/sigevent.c:248 > FRRouting#5 <signal handler called> > FRRouting#6 0x00005b5d803bf07b in isis_spf_invalidate_routes (tree=0x0) > at /build/make-pkg/output/_packages/cp-routing/src/isisd/isis_spf.c:2118 > FRRouting#7 0x00005b5d803fb23e in isis_area_invalidate_routes (area=0x5b5db8d5be40, > levels=1) > at /build/make-pkg/output/_packages/cp-routing/src/isisd/isisd.c:3152 > FRRouting#8 0x00005b5d803bf280 in isis_run_spf_cb (thread=0x7ffe7c110180) > at /build/make-pkg/output/_packages/cp-routing/src/isisd/isis_spf.c:2165 > FRRouting#9 0x00007108d4b5ff7f in event_call (thread=0x7ffe7c110180) > at /build/make-pkg/output/_packages/cp-routing/src/lib/event.c:2011 > FRRouting#10 0x00007108d4adb761 in frr_run (master=0x5b5db7f7ca40) > at /build/make-pkg/output/_packages/cp-routing/src/lib/libfrr.c:1219 > FRRouting#11 0x00005b5d8038333a in main (argc=5, argv=0x7ffe7c1103d8, > --Type <RET> for more, q to quit, c to continue without paging-- > envp=0x7ffe7c110408) > at /build/make-pkg/output/_packages/cp-routing/src/isisd/isis_main.c:360 > (gdb) Fix this by adding protection before invalidating all routes. Signed-off-by: Philippe Guibert <[email protected]>
Pdoijode
added a commit
to Pdoijode/frr
that referenced
this pull request
Dec 4, 2025
Error:
ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000ef8a0 at pc 0x555df66ba094 bp 0x7ffc13d67240 sp 0x7ffc13d67238
READ of size 4 at 0x6070000ef8a0 thread T0
#0 0x555df66ba093 in zebra_gr_delete_stale_route_table_afi zebra/zebra_gr.c:514
FRRouting#1 0x7fd33d6db06e in event_call lib/event.c:2013
FRRouting#2 0x7fd33d5fffa1 in frr_run lib/libfrr.c:1257
FRRouting#3 0x555df66531ec in main zebra/main.c:552
FRRouting#4 0x7fd33d10c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
FRRouting#5 0x7fd33d10c304 in __libc_start_main_impl ../csu/libc-start.c:360
FRRouting#6 0x555df6626b40 in _start (/usr/lib/frr/zebra+0x1a1b40)
0x6070000ef8a0 is located 0 bytes inside of 72-byte region [0x6070000ef8a0,0x6070000ef8e8)
freed by thread T0 here:
#0 0x7fd33dab76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
FRRouting#1 0x7fd33d622cd5 in qfree lib/memory.c:136
FRRouting#2 0x555df66b9e5f in zebra_gr_client_info_delete zebra/zebra_gr.c:130
FRRouting#3 0x555df66bc66f in zread_client_capabilities zebra/zebra_gr.c:355
FRRouting#4 0x555df66a025c in zserv_handle_commands zebra/zapi_msg.c:4228
FRRouting#5 0x555df67cde33 in zserv_process_messages zebra/zserv.c:565
FRRouting#6 0x7fd33d6db06e in event_call lib/event.c:2013
FRRouting#7 0x7fd33d5fffa1 in frr_run lib/libfrr.c:1257
FRRouting#8 0x555df66531ec in main zebra/main.c:552
FRRouting#9 0x7fd33d10c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
previously allocated by thread T0 here:
#0 0x7fd33dab83b7 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
FRRouting#1 0x7fd33d6223e2 in qcalloc lib/memory.c:111
FRRouting#2 0x555df66bbace in zebra_gr_client_info_create zebra/zebra_gr.c:101
FRRouting#3 0x555df66bbace in zread_client_capabilities zebra/zebra_gr.c:360
FRRouting#4 0x555df66a025c in zserv_handle_commands zebra/zapi_msg.c:4228
FRRouting#5 0x555df67cde33 in zserv_process_messages zebra/zserv.c:565
FRRouting#6 0x7fd33d6db06e in event_call lib/event.c:2013
FRRouting#7 0x7fd33d5fffa1 in frr_run lib/libfrr.c:1257
FRRouting#8 0x555df66531ec in main zebra/main.c:552
FRRouting#9 0x7fd33d10c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
Signed-off-by: Pooja Jagadeesh Doijode <[email protected]>
Pdoijode
added a commit
to Pdoijode/frr
that referenced
this pull request
Dec 16, 2025
Error:
ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000ef8a0 at pc 0x555df66ba094 bp 0x7ffc13d67240 sp 0x7ffc13d67238
READ of size 4 at 0x6070000ef8a0 thread T0
#0 0x555df66ba093 in zebra_gr_delete_stale_route_table_afi zebra/zebra_gr.c:514
FRRouting#1 0x7fd33d6db06e in event_call lib/event.c:2013
FRRouting#2 0x7fd33d5fffa1 in frr_run lib/libfrr.c:1257
FRRouting#3 0x555df66531ec in main zebra/main.c:552
FRRouting#4 0x7fd33d10c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
FRRouting#5 0x7fd33d10c304 in __libc_start_main_impl ../csu/libc-start.c:360
FRRouting#6 0x555df6626b40 in _start (/usr/lib/frr/zebra+0x1a1b40)
0x6070000ef8a0 is located 0 bytes inside of 72-byte region [0x6070000ef8a0,0x6070000ef8e8)
freed by thread T0 here:
#0 0x7fd33dab76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
FRRouting#1 0x7fd33d622cd5 in qfree lib/memory.c:136
FRRouting#2 0x555df66b9e5f in zebra_gr_client_info_delete zebra/zebra_gr.c:130
FRRouting#3 0x555df66bc66f in zread_client_capabilities zebra/zebra_gr.c:355
FRRouting#4 0x555df66a025c in zserv_handle_commands zebra/zapi_msg.c:4228
FRRouting#5 0x555df67cde33 in zserv_process_messages zebra/zserv.c:565
FRRouting#6 0x7fd33d6db06e in event_call lib/event.c:2013
FRRouting#7 0x7fd33d5fffa1 in frr_run lib/libfrr.c:1257
FRRouting#8 0x555df66531ec in main zebra/main.c:552
FRRouting#9 0x7fd33d10c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
previously allocated by thread T0 here:
#0 0x7fd33dab83b7 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
FRRouting#1 0x7fd33d6223e2 in qcalloc lib/memory.c:111
FRRouting#2 0x555df66bbace in zebra_gr_client_info_create zebra/zebra_gr.c:101
FRRouting#3 0x555df66bbace in zread_client_capabilities zebra/zebra_gr.c:360
FRRouting#4 0x555df66a025c in zserv_handle_commands zebra/zapi_msg.c:4228
FRRouting#5 0x555df67cde33 in zserv_process_messages zebra/zserv.c:565
FRRouting#6 0x7fd33d6db06e in event_call lib/event.c:2013
FRRouting#7 0x7fd33d5fffa1 in frr_run lib/libfrr.c:1257
FRRouting#8 0x555df66531ec in main zebra/main.c:552
FRRouting#9 0x7fd33d10c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
Signed-off-by: Pooja Jagadeesh Doijode <[email protected]>
Pdoijode
added a commit
to Pdoijode/frr
that referenced
this pull request
Dec 17, 2025
Error:
ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000ef8a0 at pc 0x555df66ba094 bp 0x7ffc13d67240 sp 0x7ffc13d67238
READ of size 4 at 0x6070000ef8a0 thread T0
#0 0x555df66ba093 in zebra_gr_delete_stale_route_table_afi zebra/zebra_gr.c:514
FRRouting#1 0x7fd33d6db06e in event_call lib/event.c:2013
FRRouting#2 0x7fd33d5fffa1 in frr_run lib/libfrr.c:1257
FRRouting#3 0x555df66531ec in main zebra/main.c:552
FRRouting#4 0x7fd33d10c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
FRRouting#5 0x7fd33d10c304 in __libc_start_main_impl ../csu/libc-start.c:360
FRRouting#6 0x555df6626b40 in _start (/usr/lib/frr/zebra+0x1a1b40)
0x6070000ef8a0 is located 0 bytes inside of 72-byte region [0x6070000ef8a0,0x6070000ef8e8)
freed by thread T0 here:
#0 0x7fd33dab76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
FRRouting#1 0x7fd33d622cd5 in qfree lib/memory.c:136
FRRouting#2 0x555df66b9e5f in zebra_gr_client_info_delete zebra/zebra_gr.c:130
FRRouting#3 0x555df66bc66f in zread_client_capabilities zebra/zebra_gr.c:355
FRRouting#4 0x555df66a025c in zserv_handle_commands zebra/zapi_msg.c:4228
FRRouting#5 0x555df67cde33 in zserv_process_messages zebra/zserv.c:565
FRRouting#6 0x7fd33d6db06e in event_call lib/event.c:2013
FRRouting#7 0x7fd33d5fffa1 in frr_run lib/libfrr.c:1257
FRRouting#8 0x555df66531ec in main zebra/main.c:552
FRRouting#9 0x7fd33d10c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
previously allocated by thread T0 here:
#0 0x7fd33dab83b7 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
FRRouting#1 0x7fd33d6223e2 in qcalloc lib/memory.c:111
FRRouting#2 0x555df66bbace in zebra_gr_client_info_create zebra/zebra_gr.c:101
FRRouting#3 0x555df66bbace in zread_client_capabilities zebra/zebra_gr.c:360
FRRouting#4 0x555df66a025c in zserv_handle_commands zebra/zapi_msg.c:4228
FRRouting#5 0x555df67cde33 in zserv_process_messages zebra/zserv.c:565
FRRouting#6 0x7fd33d6db06e in event_call lib/event.c:2013
FRRouting#7 0x7fd33d5fffa1 in frr_run lib/libfrr.c:1257
FRRouting#8 0x555df66531ec in main zebra/main.c:552
FRRouting#9 0x7fd33d10c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
Signed-off-by: Pooja Jagadeesh Doijode <[email protected]>
Pdoijode
added a commit
to Pdoijode/frr
that referenced
this pull request
Dec 22, 2025
Error:
ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000ef8a0 at pc 0x555df66ba094 bp 0x7ffc13d67240 sp 0x7ffc13d67238
READ of size 4 at 0x6070000ef8a0 thread T0
#0 0x555df66ba093 in zebra_gr_delete_stale_route_table_afi zebra/zebra_gr.c:514
FRRouting#1 0x7fd33d6db06e in event_call lib/event.c:2013
FRRouting#2 0x7fd33d5fffa1 in frr_run lib/libfrr.c:1257
FRRouting#3 0x555df66531ec in main zebra/main.c:552
FRRouting#4 0x7fd33d10c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
FRRouting#5 0x7fd33d10c304 in __libc_start_main_impl ../csu/libc-start.c:360
FRRouting#6 0x555df6626b40 in _start (/usr/lib/frr/zebra+0x1a1b40)
0x6070000ef8a0 is located 0 bytes inside of 72-byte region [0x6070000ef8a0,0x6070000ef8e8)
freed by thread T0 here:
#0 0x7fd33dab76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
FRRouting#1 0x7fd33d622cd5 in qfree lib/memory.c:136
FRRouting#2 0x555df66b9e5f in zebra_gr_client_info_delete zebra/zebra_gr.c:130
FRRouting#3 0x555df66bc66f in zread_client_capabilities zebra/zebra_gr.c:355
FRRouting#4 0x555df66a025c in zserv_handle_commands zebra/zapi_msg.c:4228
FRRouting#5 0x555df67cde33 in zserv_process_messages zebra/zserv.c:565
FRRouting#6 0x7fd33d6db06e in event_call lib/event.c:2013
FRRouting#7 0x7fd33d5fffa1 in frr_run lib/libfrr.c:1257
FRRouting#8 0x555df66531ec in main zebra/main.c:552
FRRouting#9 0x7fd33d10c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
previously allocated by thread T0 here:
#0 0x7fd33dab83b7 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
FRRouting#1 0x7fd33d6223e2 in qcalloc lib/memory.c:111
FRRouting#2 0x555df66bbace in zebra_gr_client_info_create zebra/zebra_gr.c:101
FRRouting#3 0x555df66bbace in zread_client_capabilities zebra/zebra_gr.c:360
FRRouting#4 0x555df66a025c in zserv_handle_commands zebra/zapi_msg.c:4228
FRRouting#5 0x555df67cde33 in zserv_process_messages zebra/zserv.c:565
FRRouting#6 0x7fd33d6db06e in event_call lib/event.c:2013
FRRouting#7 0x7fd33d5fffa1 in frr_run lib/libfrr.c:1257
FRRouting#8 0x555df66531ec in main zebra/main.c:552
FRRouting#9 0x7fd33d10c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
Signed-off-by: Pooja Jagadeesh Doijode <[email protected]>
Pdoijode
added a commit
to Pdoijode/frr
that referenced
this pull request
Dec 22, 2025
Error:
ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000ef8a0 at pc 0x555df66ba094 bp 0x7ffc13d67240 sp 0x7ffc13d67238
READ of size 4 at 0x6070000ef8a0 thread T0
#0 0x555df66ba093 in zebra_gr_delete_stale_route_table_afi zebra/zebra_gr.c:514
FRRouting#1 0x7fd33d6db06e in event_call lib/event.c:2013
FRRouting#2 0x7fd33d5fffa1 in frr_run lib/libfrr.c:1257
FRRouting#3 0x555df66531ec in main zebra/main.c:552
FRRouting#4 0x7fd33d10c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
FRRouting#5 0x7fd33d10c304 in __libc_start_main_impl ../csu/libc-start.c:360
FRRouting#6 0x555df6626b40 in _start (/usr/lib/frr/zebra+0x1a1b40)
0x6070000ef8a0 is located 0 bytes inside of 72-byte region [0x6070000ef8a0,0x6070000ef8e8)
freed by thread T0 here:
#0 0x7fd33dab76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
FRRouting#1 0x7fd33d622cd5 in qfree lib/memory.c:136
FRRouting#2 0x555df66b9e5f in zebra_gr_client_info_delete zebra/zebra_gr.c:130
FRRouting#3 0x555df66bc66f in zread_client_capabilities zebra/zebra_gr.c:355
FRRouting#4 0x555df66a025c in zserv_handle_commands zebra/zapi_msg.c:4228
FRRouting#5 0x555df67cde33 in zserv_process_messages zebra/zserv.c:565
FRRouting#6 0x7fd33d6db06e in event_call lib/event.c:2013
FRRouting#7 0x7fd33d5fffa1 in frr_run lib/libfrr.c:1257
FRRouting#8 0x555df66531ec in main zebra/main.c:552
FRRouting#9 0x7fd33d10c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
previously allocated by thread T0 here:
#0 0x7fd33dab83b7 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
FRRouting#1 0x7fd33d6223e2 in qcalloc lib/memory.c:111
FRRouting#2 0x555df66bbace in zebra_gr_client_info_create zebra/zebra_gr.c:101
FRRouting#3 0x555df66bbace in zread_client_capabilities zebra/zebra_gr.c:360
FRRouting#4 0x555df66a025c in zserv_handle_commands zebra/zapi_msg.c:4228
FRRouting#5 0x555df67cde33 in zserv_process_messages zebra/zserv.c:565
FRRouting#6 0x7fd33d6db06e in event_call lib/event.c:2013
FRRouting#7 0x7fd33d5fffa1 in frr_run lib/libfrr.c:1257
FRRouting#8 0x555df66531ec in main zebra/main.c:552
FRRouting#9 0x7fd33d10c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
Signed-off-by: Pooja Jagadeesh Doijode <[email protected]>
Pdoijode
added a commit
to Pdoijode/frr
that referenced
this pull request
Dec 23, 2025
Error:
ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000ef8a0 at pc 0x555df66ba094 bp 0x7ffc13d67240 sp 0x7ffc13d67238
READ of size 4 at 0x6070000ef8a0 thread T0
#0 0x555df66ba093 in zebra_gr_delete_stale_route_table_afi zebra/zebra_gr.c:514
FRRouting#1 0x7fd33d6db06e in event_call lib/event.c:2013
FRRouting#2 0x7fd33d5fffa1 in frr_run lib/libfrr.c:1257
FRRouting#3 0x555df66531ec in main zebra/main.c:552
FRRouting#4 0x7fd33d10c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
FRRouting#5 0x7fd33d10c304 in __libc_start_main_impl ../csu/libc-start.c:360
FRRouting#6 0x555df6626b40 in _start (/usr/lib/frr/zebra+0x1a1b40)
0x6070000ef8a0 is located 0 bytes inside of 72-byte region [0x6070000ef8a0,0x6070000ef8e8)
freed by thread T0 here:
#0 0x7fd33dab76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
FRRouting#1 0x7fd33d622cd5 in qfree lib/memory.c:136
FRRouting#2 0x555df66b9e5f in zebra_gr_client_info_delete zebra/zebra_gr.c:130
FRRouting#3 0x555df66bc66f in zread_client_capabilities zebra/zebra_gr.c:355
FRRouting#4 0x555df66a025c in zserv_handle_commands zebra/zapi_msg.c:4228
FRRouting#5 0x555df67cde33 in zserv_process_messages zebra/zserv.c:565
FRRouting#6 0x7fd33d6db06e in event_call lib/event.c:2013
FRRouting#7 0x7fd33d5fffa1 in frr_run lib/libfrr.c:1257
FRRouting#8 0x555df66531ec in main zebra/main.c:552
FRRouting#9 0x7fd33d10c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
previously allocated by thread T0 here:
#0 0x7fd33dab83b7 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
FRRouting#1 0x7fd33d6223e2 in qcalloc lib/memory.c:111
FRRouting#2 0x555df66bbace in zebra_gr_client_info_create zebra/zebra_gr.c:101
FRRouting#3 0x555df66bbace in zread_client_capabilities zebra/zebra_gr.c:360
FRRouting#4 0x555df66a025c in zserv_handle_commands zebra/zapi_msg.c:4228
FRRouting#5 0x555df67cde33 in zserv_process_messages zebra/zserv.c:565
FRRouting#6 0x7fd33d6db06e in event_call lib/event.c:2013
FRRouting#7 0x7fd33d5fffa1 in frr_run lib/libfrr.c:1257
FRRouting#8 0x555df66531ec in main zebra/main.c:552
FRRouting#9 0x7fd33d10c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
Signed-off-by: Pooja Jagadeesh Doijode <[email protected]>
pguibert6WIND
added a commit
to pguibert6WIND/frr
that referenced
this pull request
Dec 24, 2025
The following crash happens on a BGP setup with SRv6 used, when locator is updated with the func-bits value moving from 32 bits to 16 bits. > FRRouting#6 0x000061582b486b5c in memcpy (__len=<optimized out>, __src=<optimized out>, __dest=<optimized out>) > at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29 > FRRouting#7 vpn_leak_from_vrf_update (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040, > path_vrf=path_vrf@entry=0x6158364ef110) at bgpd/bgp_mplsvpn.c:2010 > FRRouting#8 0x000061582b48758b in vpn_leak_from_vrf_update_all (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040, > afi=<optimized out>) at bgpd/bgp_mplsvpn.c:2215 > FRRouting#9 0x000061582b48774d in vpn_leak_postchange (afi=afi@entry=AFI_IP, bgp_vpn=bgp_vpn@entry=0x6158364a0340, > bgp_vrf=bgp_vrf@entry=0x6158364c1040, direction=BGP_VPN_POLICY_DIR_TOVPN) at ./bgpd/bgp_mplsvpn.h:313 > FRRouting#10 0x000061582b489b4b in vpn_leak_postchange (bgp_vrf=0x6158364c1040, bgp_vpn=0x6158364a0340, afi=AFI_IP, direction=BGP_VPN_POLICY_DIR_TOVPN) > at ./bgpd/bgp_mplsvpn.h:273 > FRRouting#11 vpn_leak_postchange_all () at bgpd/bgp_mplsvpn.c:3978 > FRRouting#12 0x000061582b5219d5 in bgp_zebra_process_srv6_locator_delete (cmd=<optimized out>, zclient=<optimized out>, length=<optimized out>, > vrf_id=<optimized out>) at bgpd/bgp_zebra.c:3874 > FRRouting#13 0x0000766887b391ee in zclient_read (thread=<optimized out>) at lib/zclient.c:4804 > FRRouting#14 0x0000766887b2245e in event_call (thread=thread@entry=0x7ffc86531a30) at lib/event.c:2005 > FRRouting#15 0x0000766887ac2ed8 in frr_run (loop=0x615835c46fd0) at lib/libfrr.c:1252 > FRRouting#16 0x000061582b428163 in main (argc=<optimized out>, argv=0x7ffc86531cf8) at bgpd/bgp_main.c:565 > (gdb) > Actually, the SID allocated has been freed after the locator deleted event. Protect this part of code by checking the availability of the sid pointer. Signed-off-by: Philippe Guibert <[email protected]>
pguibert6WIND
added a commit
to pguibert6WIND/frr
that referenced
this pull request
Dec 24, 2025
The following crash happens on a BGP setup with SRv6 used, when locator is updated with the func-bits value moving from 32 bits to 16 bits. > FRRouting#6 0x000061582b486b5c in memcpy (__len=<optimized out>, __src=<optimized out>, __dest=<optimized out>) > at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29 > FRRouting#7 vpn_leak_from_vrf_update (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040, > path_vrf=path_vrf@entry=0x6158364ef110) at bgpd/bgp_mplsvpn.c:2010 > FRRouting#8 0x000061582b48758b in vpn_leak_from_vrf_update_all (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040, > afi=<optimized out>) at bgpd/bgp_mplsvpn.c:2215 > FRRouting#9 0x000061582b48774d in vpn_leak_postchange (afi=afi@entry=AFI_IP, bgp_vpn=bgp_vpn@entry=0x6158364a0340, > bgp_vrf=bgp_vrf@entry=0x6158364c1040, direction=BGP_VPN_POLICY_DIR_TOVPN) at ./bgpd/bgp_mplsvpn.h:313 > FRRouting#10 0x000061582b489b4b in vpn_leak_postchange (bgp_vrf=0x6158364c1040, bgp_vpn=0x6158364a0340, afi=AFI_IP, direction=BGP_VPN_POLICY_DIR_TOVPN) > at ./bgpd/bgp_mplsvpn.h:273 > FRRouting#11 vpn_leak_postchange_all () at bgpd/bgp_mplsvpn.c:3978 > FRRouting#12 0x000061582b5219d5 in bgp_zebra_process_srv6_locator_delete (cmd=<optimized out>, zclient=<optimized out>, length=<optimized out>, > vrf_id=<optimized out>) at bgpd/bgp_zebra.c:3874 > FRRouting#13 0x0000766887b391ee in zclient_read (thread=<optimized out>) at lib/zclient.c:4804 > FRRouting#14 0x0000766887b2245e in event_call (thread=thread@entry=0x7ffc86531a30) at lib/event.c:2005 > FRRouting#15 0x0000766887ac2ed8 in frr_run (loop=0x615835c46fd0) at lib/libfrr.c:1252 > FRRouting#16 0x000061582b428163 in main (argc=<optimized out>, argv=0x7ffc86531cf8) at bgpd/bgp_main.c:565 > (gdb) > Actually, the SID allocated has been freed after the locator deleted event. Protect this part of code by checking the availability of the sid pointer. Signed-off-by: Philippe Guibert <[email protected]>
2 tasks
pguibert6WIND
added a commit
to pguibert6WIND/frr
that referenced
this pull request
Jan 2, 2026
The following crash happens, when moving from level-2 to level-1 an isis flex-algorithm configuration > warning: 44 ./nptl/pthread_kill.c: No such file or directory > [Current thread is 1 (Thread 0x7108d4cb2980 (LWP 1023))] > (gdb) bt > #0 __pthread_kill_implementation (no_tid=0, signo=11, > threadid=<optimized out>) at ./nptl/pthread_kill.c:44 > FRRouting#1 __pthread_kill_internal (signo=11, threadid=<optimized out>) > at ./nptl/pthread_kill.c:78 > FRRouting#2 __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=11) > at ./nptl/pthread_kill.c:89 > FRRouting#3 0x00007108d3e4527e in __GI_raise (sig=11) at ../sysdeps/posix/raise.c:26 > FRRouting#4 0x00007108d4b44926 in core_handler (signo=11, siginfo=0x7ffe7c10fb30, > context=0x7ffe7c10fa00) > at /build/make-pkg/output/_packages/cp-routing/src/lib/sigevent.c:248 > FRRouting#5 <signal handler called> > FRRouting#6 0x00005b5d803bf07b in isis_spf_invalidate_routes (tree=0x0) > at /build/make-pkg/output/_packages/cp-routing/src/isisd/isis_spf.c:2118 > FRRouting#7 0x00005b5d803fb23e in isis_area_invalidate_routes (area=0x5b5db8d5be40, > levels=1) > at /build/make-pkg/output/_packages/cp-routing/src/isisd/isisd.c:3152 > FRRouting#8 0x00005b5d803bf280 in isis_run_spf_cb (thread=0x7ffe7c110180) > at /build/make-pkg/output/_packages/cp-routing/src/isisd/isis_spf.c:2165 > FRRouting#9 0x00007108d4b5ff7f in event_call (thread=0x7ffe7c110180) > at /build/make-pkg/output/_packages/cp-routing/src/lib/event.c:2011 > FRRouting#10 0x00007108d4adb761 in frr_run (master=0x5b5db7f7ca40) > at /build/make-pkg/output/_packages/cp-routing/src/lib/libfrr.c:1219 > FRRouting#11 0x00005b5d8038333a in main (argc=5, argv=0x7ffe7c1103d8, > --Type <RET> for more, q to quit, c to continue without paging-- > envp=0x7ffe7c110408) > at /build/make-pkg/output/_packages/cp-routing/src/isisd/isis_main.c:360 > (gdb) Fix this by adding protection before invalidating all routes. Signed-off-by: Philippe Guibert <[email protected]>
pguibert6WIND
added a commit
to pguibert6WIND/frr
that referenced
this pull request
Jan 7, 2026
The following crash happens on a BGP setup with SRv6 used, when locator is updated with the func-bits value moving from 32 bits to 16 bits. > FRRouting#6 0x000061582b486b5c in memcpy (__len=<optimized out>, __src=<optimized out>, __dest=<optimized out>) > at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29 > FRRouting#7 vpn_leak_from_vrf_update (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040, > path_vrf=path_vrf@entry=0x6158364ef110) at bgpd/bgp_mplsvpn.c:2010 > FRRouting#8 0x000061582b48758b in vpn_leak_from_vrf_update_all (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040, > afi=<optimized out>) at bgpd/bgp_mplsvpn.c:2215 > FRRouting#9 0x000061582b48774d in vpn_leak_postchange (afi=afi@entry=AFI_IP, bgp_vpn=bgp_vpn@entry=0x6158364a0340, > bgp_vrf=bgp_vrf@entry=0x6158364c1040, direction=BGP_VPN_POLICY_DIR_TOVPN) at ./bgpd/bgp_mplsvpn.h:313 > FRRouting#10 0x000061582b489b4b in vpn_leak_postchange (bgp_vrf=0x6158364c1040, bgp_vpn=0x6158364a0340, afi=AFI_IP, direction=BGP_VPN_POLICY_DIR_TOVPN) > at ./bgpd/bgp_mplsvpn.h:273 > FRRouting#11 vpn_leak_postchange_all () at bgpd/bgp_mplsvpn.c:3978 > FRRouting#12 0x000061582b5219d5 in bgp_zebra_process_srv6_locator_delete (cmd=<optimized out>, zclient=<optimized out>, length=<optimized out>, > vrf_id=<optimized out>) at bgpd/bgp_zebra.c:3874 > FRRouting#13 0x0000766887b391ee in zclient_read (thread=<optimized out>) at lib/zclient.c:4804 > FRRouting#14 0x0000766887b2245e in event_call (thread=thread@entry=0x7ffc86531a30) at lib/event.c:2005 > FRRouting#15 0x0000766887ac2ed8 in frr_run (loop=0x615835c46fd0) at lib/libfrr.c:1252 > FRRouting#16 0x000061582b428163 in main (argc=<optimized out>, argv=0x7ffc86531cf8) at bgpd/bgp_main.c:565 > (gdb) > Actually, the SID allocated has been freed after the locator deleted event. Protect this part of code by checking the availability of the sid pointer. Signed-off-by: Philippe Guibert <[email protected]>
pguibert6WIND
added a commit
to pguibert6WIND/frr
that referenced
this pull request
Jan 8, 2026
The following crash happens on a BGP setup with SRv6 used, when locator is updated with the func-bits value moving from 32 bits to 16 bits. > FRRouting#6 0x000061582b486b5c in memcpy (__len=<optimized out>, __src=<optimized out>, __dest=<optimized out>) > at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29 > FRRouting#7 vpn_leak_from_vrf_update (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040, > path_vrf=path_vrf@entry=0x6158364ef110) at bgpd/bgp_mplsvpn.c:2010 > FRRouting#8 0x000061582b48758b in vpn_leak_from_vrf_update_all (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040, > afi=<optimized out>) at bgpd/bgp_mplsvpn.c:2215 > FRRouting#9 0x000061582b48774d in vpn_leak_postchange (afi=afi@entry=AFI_IP, bgp_vpn=bgp_vpn@entry=0x6158364a0340, > bgp_vrf=bgp_vrf@entry=0x6158364c1040, direction=BGP_VPN_POLICY_DIR_TOVPN) at ./bgpd/bgp_mplsvpn.h:313 > FRRouting#10 0x000061582b489b4b in vpn_leak_postchange (bgp_vrf=0x6158364c1040, bgp_vpn=0x6158364a0340, afi=AFI_IP, direction=BGP_VPN_POLICY_DIR_TOVPN) > at ./bgpd/bgp_mplsvpn.h:273 > FRRouting#11 vpn_leak_postchange_all () at bgpd/bgp_mplsvpn.c:3978 > FRRouting#12 0x000061582b5219d5 in bgp_zebra_process_srv6_locator_delete (cmd=<optimized out>, zclient=<optimized out>, length=<optimized out>, > vrf_id=<optimized out>) at bgpd/bgp_zebra.c:3874 > FRRouting#13 0x0000766887b391ee in zclient_read (thread=<optimized out>) at lib/zclient.c:4804 > FRRouting#14 0x0000766887b2245e in event_call (thread=thread@entry=0x7ffc86531a30) at lib/event.c:2005 > FRRouting#15 0x0000766887ac2ed8 in frr_run (loop=0x615835c46fd0) at lib/libfrr.c:1252 > FRRouting#16 0x000061582b428163 in main (argc=<optimized out>, argv=0x7ffc86531cf8) at bgpd/bgp_main.c:565 > (gdb) > Actually, the SID allocated has been freed after the locator deleted event. Protect this part of code by checking the availability of the sid pointer. Signed-off-by: Philippe Guibert <[email protected]>
pguibert6WIND
added a commit
to pguibert6WIND/frr
that referenced
this pull request
Jan 8, 2026
The following crash happens on a BGP setup with SRv6 used, when locator is updated with the func-bits value moving from 32 bits to 16 bits. > FRRouting#6 0x000061582b486b5c in memcpy (__len=<optimized out>, __src=<optimized out>, __dest=<optimized out>) > at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29 > FRRouting#7 vpn_leak_from_vrf_update (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040, > path_vrf=path_vrf@entry=0x6158364ef110) at bgpd/bgp_mplsvpn.c:2010 > FRRouting#8 0x000061582b48758b in vpn_leak_from_vrf_update_all (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040, > afi=<optimized out>) at bgpd/bgp_mplsvpn.c:2215 > FRRouting#9 0x000061582b48774d in vpn_leak_postchange (afi=afi@entry=AFI_IP, bgp_vpn=bgp_vpn@entry=0x6158364a0340, > bgp_vrf=bgp_vrf@entry=0x6158364c1040, direction=BGP_VPN_POLICY_DIR_TOVPN) at ./bgpd/bgp_mplsvpn.h:313 > FRRouting#10 0x000061582b489b4b in vpn_leak_postchange (bgp_vrf=0x6158364c1040, bgp_vpn=0x6158364a0340, afi=AFI_IP, direction=BGP_VPN_POLICY_DIR_TOVPN) > at ./bgpd/bgp_mplsvpn.h:273 > FRRouting#11 vpn_leak_postchange_all () at bgpd/bgp_mplsvpn.c:3978 > FRRouting#12 0x000061582b5219d5 in bgp_zebra_process_srv6_locator_delete (cmd=<optimized out>, zclient=<optimized out>, length=<optimized out>, > vrf_id=<optimized out>) at bgpd/bgp_zebra.c:3874 > FRRouting#13 0x0000766887b391ee in zclient_read (thread=<optimized out>) at lib/zclient.c:4804 > FRRouting#14 0x0000766887b2245e in event_call (thread=thread@entry=0x7ffc86531a30) at lib/event.c:2005 > FRRouting#15 0x0000766887ac2ed8 in frr_run (loop=0x615835c46fd0) at lib/libfrr.c:1252 > FRRouting#16 0x000061582b428163 in main (argc=<optimized out>, argv=0x7ffc86531cf8) at bgpd/bgp_main.c:565 > (gdb) > Actually, the SID allocated has been freed after the locator deleted event. Protect this part of code by checking the availability of the sid pointer. Signed-off-by: Philippe Guibert <[email protected]>
mergify bot
pushed a commit
that referenced
this pull request
Jan 13, 2026
The following crash happens, when moving from level-2 to level-1 an isis flex-algorithm configuration > warning: 44 ./nptl/pthread_kill.c: No such file or directory > [Current thread is 1 (Thread 0x7108d4cb2980 (LWP 1023))] > (gdb) bt > #0 __pthread_kill_implementation (no_tid=0, signo=11, > threadid=<optimized out>) at ./nptl/pthread_kill.c:44 > #1 __pthread_kill_internal (signo=11, threadid=<optimized out>) > at ./nptl/pthread_kill.c:78 > #2 __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=11) > at ./nptl/pthread_kill.c:89 > #3 0x00007108d3e4527e in __GI_raise (sig=11) at ../sysdeps/posix/raise.c:26 > #4 0x00007108d4b44926 in core_handler (signo=11, siginfo=0x7ffe7c10fb30, > context=0x7ffe7c10fa00) > at /build/make-pkg/output/_packages/cp-routing/src/lib/sigevent.c:248 > #5 <signal handler called> > #6 0x00005b5d803bf07b in isis_spf_invalidate_routes (tree=0x0) > at /build/make-pkg/output/_packages/cp-routing/src/isisd/isis_spf.c:2118 > #7 0x00005b5d803fb23e in isis_area_invalidate_routes (area=0x5b5db8d5be40, > levels=1) > at /build/make-pkg/output/_packages/cp-routing/src/isisd/isisd.c:3152 > #8 0x00005b5d803bf280 in isis_run_spf_cb (thread=0x7ffe7c110180) > at /build/make-pkg/output/_packages/cp-routing/src/isisd/isis_spf.c:2165 > #9 0x00007108d4b5ff7f in event_call (thread=0x7ffe7c110180) > at /build/make-pkg/output/_packages/cp-routing/src/lib/event.c:2011 > #10 0x00007108d4adb761 in frr_run (master=0x5b5db7f7ca40) > at /build/make-pkg/output/_packages/cp-routing/src/lib/libfrr.c:1219 > #11 0x00005b5d8038333a in main (argc=5, argv=0x7ffe7c1103d8, > --Type <RET> for more, q to quit, c to continue without paging-- > envp=0x7ffe7c110408) > at /build/make-pkg/output/_packages/cp-routing/src/isisd/isis_main.c:360 > (gdb) Fix this by adding protection before invalidating all routes. Signed-off-by: Philippe Guibert <[email protected]> (cherry picked from commit 65269be)
mergify bot
pushed a commit
that referenced
this pull request
Jan 13, 2026
The following crash happens, when moving from level-2 to level-1 an isis flex-algorithm configuration > warning: 44 ./nptl/pthread_kill.c: No such file or directory > [Current thread is 1 (Thread 0x7108d4cb2980 (LWP 1023))] > (gdb) bt > #0 __pthread_kill_implementation (no_tid=0, signo=11, > threadid=<optimized out>) at ./nptl/pthread_kill.c:44 > #1 __pthread_kill_internal (signo=11, threadid=<optimized out>) > at ./nptl/pthread_kill.c:78 > #2 __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=11) > at ./nptl/pthread_kill.c:89 > #3 0x00007108d3e4527e in __GI_raise (sig=11) at ../sysdeps/posix/raise.c:26 > #4 0x00007108d4b44926 in core_handler (signo=11, siginfo=0x7ffe7c10fb30, > context=0x7ffe7c10fa00) > at /build/make-pkg/output/_packages/cp-routing/src/lib/sigevent.c:248 > #5 <signal handler called> > #6 0x00005b5d803bf07b in isis_spf_invalidate_routes (tree=0x0) > at /build/make-pkg/output/_packages/cp-routing/src/isisd/isis_spf.c:2118 > #7 0x00005b5d803fb23e in isis_area_invalidate_routes (area=0x5b5db8d5be40, > levels=1) > at /build/make-pkg/output/_packages/cp-routing/src/isisd/isisd.c:3152 > #8 0x00005b5d803bf280 in isis_run_spf_cb (thread=0x7ffe7c110180) > at /build/make-pkg/output/_packages/cp-routing/src/isisd/isis_spf.c:2165 > #9 0x00007108d4b5ff7f in event_call (thread=0x7ffe7c110180) > at /build/make-pkg/output/_packages/cp-routing/src/lib/event.c:2011 > #10 0x00007108d4adb761 in frr_run (master=0x5b5db7f7ca40) > at /build/make-pkg/output/_packages/cp-routing/src/lib/libfrr.c:1219 > #11 0x00005b5d8038333a in main (argc=5, argv=0x7ffe7c1103d8, > --Type <RET> for more, q to quit, c to continue without paging-- > envp=0x7ffe7c110408) > at /build/make-pkg/output/_packages/cp-routing/src/isisd/isis_main.c:360 > (gdb) Fix this by adding protection before invalidating all routes. Signed-off-by: Philippe Guibert <[email protected]> (cherry picked from commit 65269be)
mergify bot
pushed a commit
that referenced
this pull request
Jan 13, 2026
The following crash happens, when moving from level-2 to level-1 an isis flex-algorithm configuration > warning: 44 ./nptl/pthread_kill.c: No such file or directory > [Current thread is 1 (Thread 0x7108d4cb2980 (LWP 1023))] > (gdb) bt > #0 __pthread_kill_implementation (no_tid=0, signo=11, > threadid=<optimized out>) at ./nptl/pthread_kill.c:44 > #1 __pthread_kill_internal (signo=11, threadid=<optimized out>) > at ./nptl/pthread_kill.c:78 > #2 __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=11) > at ./nptl/pthread_kill.c:89 > #3 0x00007108d3e4527e in __GI_raise (sig=11) at ../sysdeps/posix/raise.c:26 > #4 0x00007108d4b44926 in core_handler (signo=11, siginfo=0x7ffe7c10fb30, > context=0x7ffe7c10fa00) > at /build/make-pkg/output/_packages/cp-routing/src/lib/sigevent.c:248 > #5 <signal handler called> > #6 0x00005b5d803bf07b in isis_spf_invalidate_routes (tree=0x0) > at /build/make-pkg/output/_packages/cp-routing/src/isisd/isis_spf.c:2118 > #7 0x00005b5d803fb23e in isis_area_invalidate_routes (area=0x5b5db8d5be40, > levels=1) > at /build/make-pkg/output/_packages/cp-routing/src/isisd/isisd.c:3152 > #8 0x00005b5d803bf280 in isis_run_spf_cb (thread=0x7ffe7c110180) > at /build/make-pkg/output/_packages/cp-routing/src/isisd/isis_spf.c:2165 > #9 0x00007108d4b5ff7f in event_call (thread=0x7ffe7c110180) > at /build/make-pkg/output/_packages/cp-routing/src/lib/event.c:2011 > #10 0x00007108d4adb761 in frr_run (master=0x5b5db7f7ca40) > at /build/make-pkg/output/_packages/cp-routing/src/lib/libfrr.c:1219 > #11 0x00005b5d8038333a in main (argc=5, argv=0x7ffe7c1103d8, > --Type <RET> for more, q to quit, c to continue without paging-- > envp=0x7ffe7c110408) > at /build/make-pkg/output/_packages/cp-routing/src/isisd/isis_main.c:360 > (gdb) Fix this by adding protection before invalidating all routes. Signed-off-by: Philippe Guibert <[email protected]> (cherry picked from commit 65269be)
mergify bot
pushed a commit
that referenced
this pull request
Jan 13, 2026
The following crash happens, when moving from level-2 to level-1 an isis flex-algorithm configuration > warning: 44 ./nptl/pthread_kill.c: No such file or directory > [Current thread is 1 (Thread 0x7108d4cb2980 (LWP 1023))] > (gdb) bt > #0 __pthread_kill_implementation (no_tid=0, signo=11, > threadid=<optimized out>) at ./nptl/pthread_kill.c:44 > #1 __pthread_kill_internal (signo=11, threadid=<optimized out>) > at ./nptl/pthread_kill.c:78 > #2 __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=11) > at ./nptl/pthread_kill.c:89 > #3 0x00007108d3e4527e in __GI_raise (sig=11) at ../sysdeps/posix/raise.c:26 > #4 0x00007108d4b44926 in core_handler (signo=11, siginfo=0x7ffe7c10fb30, > context=0x7ffe7c10fa00) > at /build/make-pkg/output/_packages/cp-routing/src/lib/sigevent.c:248 > #5 <signal handler called> > #6 0x00005b5d803bf07b in isis_spf_invalidate_routes (tree=0x0) > at /build/make-pkg/output/_packages/cp-routing/src/isisd/isis_spf.c:2118 > #7 0x00005b5d803fb23e in isis_area_invalidate_routes (area=0x5b5db8d5be40, > levels=1) > at /build/make-pkg/output/_packages/cp-routing/src/isisd/isisd.c:3152 > #8 0x00005b5d803bf280 in isis_run_spf_cb (thread=0x7ffe7c110180) > at /build/make-pkg/output/_packages/cp-routing/src/isisd/isis_spf.c:2165 > #9 0x00007108d4b5ff7f in event_call (thread=0x7ffe7c110180) > at /build/make-pkg/output/_packages/cp-routing/src/lib/event.c:2011 > #10 0x00007108d4adb761 in frr_run (master=0x5b5db7f7ca40) > at /build/make-pkg/output/_packages/cp-routing/src/lib/libfrr.c:1219 > #11 0x00005b5d8038333a in main (argc=5, argv=0x7ffe7c1103d8, > --Type <RET> for more, q to quit, c to continue without paging-- > envp=0x7ffe7c110408) > at /build/make-pkg/output/_packages/cp-routing/src/isisd/isis_main.c:360 > (gdb) Fix this by adding protection before invalidating all routes. Signed-off-by: Philippe Guibert <[email protected]> (cherry picked from commit 65269be)
mergify bot
pushed a commit
that referenced
this pull request
Jan 13, 2026
The following crash happens, when moving from level-2 to level-1 an isis flex-algorithm configuration > warning: 44 ./nptl/pthread_kill.c: No such file or directory > [Current thread is 1 (Thread 0x7108d4cb2980 (LWP 1023))] > (gdb) bt > #0 __pthread_kill_implementation (no_tid=0, signo=11, > threadid=<optimized out>) at ./nptl/pthread_kill.c:44 > #1 __pthread_kill_internal (signo=11, threadid=<optimized out>) > at ./nptl/pthread_kill.c:78 > #2 __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=11) > at ./nptl/pthread_kill.c:89 > #3 0x00007108d3e4527e in __GI_raise (sig=11) at ../sysdeps/posix/raise.c:26 > #4 0x00007108d4b44926 in core_handler (signo=11, siginfo=0x7ffe7c10fb30, > context=0x7ffe7c10fa00) > at /build/make-pkg/output/_packages/cp-routing/src/lib/sigevent.c:248 > #5 <signal handler called> > #6 0x00005b5d803bf07b in isis_spf_invalidate_routes (tree=0x0) > at /build/make-pkg/output/_packages/cp-routing/src/isisd/isis_spf.c:2118 > #7 0x00005b5d803fb23e in isis_area_invalidate_routes (area=0x5b5db8d5be40, > levels=1) > at /build/make-pkg/output/_packages/cp-routing/src/isisd/isisd.c:3152 > #8 0x00005b5d803bf280 in isis_run_spf_cb (thread=0x7ffe7c110180) > at /build/make-pkg/output/_packages/cp-routing/src/isisd/isis_spf.c:2165 > #9 0x00007108d4b5ff7f in event_call (thread=0x7ffe7c110180) > at /build/make-pkg/output/_packages/cp-routing/src/lib/event.c:2011 > #10 0x00007108d4adb761 in frr_run (master=0x5b5db7f7ca40) > at /build/make-pkg/output/_packages/cp-routing/src/lib/libfrr.c:1219 > #11 0x00005b5d8038333a in main (argc=5, argv=0x7ffe7c1103d8, > --Type <RET> for more, q to quit, c to continue without paging-- > envp=0x7ffe7c110408) > at /build/make-pkg/output/_packages/cp-routing/src/isisd/isis_main.c:360 > (gdb) Fix this by adding protection before invalidating all routes. Signed-off-by: Philippe Guibert <[email protected]> (cherry picked from commit 65269be)
mergify bot
pushed a commit
that referenced
this pull request
Jan 13, 2026
The following crash happens, when moving from level-2 to level-1 an isis flex-algorithm configuration > warning: 44 ./nptl/pthread_kill.c: No such file or directory > [Current thread is 1 (Thread 0x7108d4cb2980 (LWP 1023))] > (gdb) bt > #0 __pthread_kill_implementation (no_tid=0, signo=11, > threadid=<optimized out>) at ./nptl/pthread_kill.c:44 > #1 __pthread_kill_internal (signo=11, threadid=<optimized out>) > at ./nptl/pthread_kill.c:78 > #2 __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=11) > at ./nptl/pthread_kill.c:89 > #3 0x00007108d3e4527e in __GI_raise (sig=11) at ../sysdeps/posix/raise.c:26 > #4 0x00007108d4b44926 in core_handler (signo=11, siginfo=0x7ffe7c10fb30, > context=0x7ffe7c10fa00) > at /build/make-pkg/output/_packages/cp-routing/src/lib/sigevent.c:248 > #5 <signal handler called> > #6 0x00005b5d803bf07b in isis_spf_invalidate_routes (tree=0x0) > at /build/make-pkg/output/_packages/cp-routing/src/isisd/isis_spf.c:2118 > #7 0x00005b5d803fb23e in isis_area_invalidate_routes (area=0x5b5db8d5be40, > levels=1) > at /build/make-pkg/output/_packages/cp-routing/src/isisd/isisd.c:3152 > #8 0x00005b5d803bf280 in isis_run_spf_cb (thread=0x7ffe7c110180) > at /build/make-pkg/output/_packages/cp-routing/src/isisd/isis_spf.c:2165 > #9 0x00007108d4b5ff7f in event_call (thread=0x7ffe7c110180) > at /build/make-pkg/output/_packages/cp-routing/src/lib/event.c:2011 > #10 0x00007108d4adb761 in frr_run (master=0x5b5db7f7ca40) > at /build/make-pkg/output/_packages/cp-routing/src/lib/libfrr.c:1219 > #11 0x00005b5d8038333a in main (argc=5, argv=0x7ffe7c1103d8, > --Type <RET> for more, q to quit, c to continue without paging-- > envp=0x7ffe7c110408) > at /build/make-pkg/output/_packages/cp-routing/src/isisd/isis_main.c:360 > (gdb) Fix this by adding protection before invalidating all routes. Signed-off-by: Philippe Guibert <[email protected]> (cherry picked from commit 65269be)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The first time through calling 'show ip bgp summary'
we were always calculating the variable hostname field
size incorrectly.
Ticket: CM-13900
Signed-off-by: Donald Sharp [email protected]