support redistribute vrf function #1

zice312963205 · 2023-02-23T02:47:38Z

bgpd: Add support for BGP vrf route copying

Example configuration:
router bgp 100 vrf vrf-1
address-family ipv4 unicast
rd vpn export 1:1
rt vpn both 1:1
export vpn
import vpn
redistribute vrf vrf-2
exit-address-family
!
!
router bgp 100 vrf vrf-2
neighbor 2.2.2.2 remote-as 1
address-family ipv4 unicast
rd vpn export 2:2
rt vpn both 2:2
neighbor 2.2.2.2 activate
exit-address-family
!
BGP routes learned from the neighbor 2.2.2.2 under VRF-1 can be directly copied to the BGP under VRF-1 without carrying the RD and RT attributes of VRF-1. After being copied to VRF-1, the routes will be sent to VPN with the RD 1:1 and RT 1:1 attributes, forming BGP-VPN routes.

cscarpitta · 2023-02-27T09:43:07Z

Just a few things we should do before submitting the code:

Add documentation to the bgp docs for the new command redistribute vrf that you added. This should go in a separate commit.
Write test cases for the new functionality and add them to the tests folder. This should go in a separate commit.
Format the code according to the FRR style guidelines. We can use the clang-format source formatter tool to automatically format code according to the guidelines.
Format the commit messages according to the guidelines described here, here, and here.

I can help with all the above items.

Fix crash on "show bgp all" when BGP EVPN is set. > #0 raise (sig=11) at ../sysdeps/unix/sysv/linux/raise.c:50 > #1 0x00007fdfe03cf53c in core_handler (signo=11, siginfo=0x7ffdebbffe30, context=0x7ffdebbffd00) at lib/sigevent.c:261 > FRRouting#2 <signal handler called> > FRRouting#3 0x00000000004d4fec in bgp_attr_get_community (attr=0x41) at bgpd/bgp_attr.h:553 > FRRouting#4 0x00000000004eee84 in bgp_show_table (vty=0x1a790d0, bgp=0x19d0a00, safi=SAFI_EVPN, table=0x19f6010, type=bgp_show_type_normal, output_arg=0x0, rd=0x0, is_last=1, output_cum=0x0, > total_cum=0x0, json_header_depth=0x7ffdebc00bf8, show_flags=4, rpki_target_state=RPKI_NOT_BEING_USED) at bgpd/bgp_route.c:11329 > FRRouting#5 0x00000000004f7765 in bgp_show (vty=0x1a790d0, bgp=0x19d0a00, afi=AFI_L2VPN, safi=SAFI_EVPN, type=bgp_show_type_normal, output_arg=0x0, show_flags=4, > rpki_target_state=RPKI_NOT_BEING_USED) at bgpd/bgp_route.c:11814 > FRRouting#6 0x00000000004fb53b in show_ip_bgp_magic (self=0x6752b0 <show_ip_bgp_cmd>, vty=0x1a790d0, argc=3, argv=0x19cb050, viewvrfname=0x0, all=0x1395390 "all", aa_nn=0x0, community_list=0, > community_list_str=0x0, community_list_name=0x0, as_path_filter_name=0x0, prefix_list=0x0, accesslist_name=0x0, rmap_name=0x0, version=0, version_str=0x0, alias_name=0x0, > orr_group_name=0x0, detail_routes=0x0, uj=0x0, detail_json=0x0, wide=0x0) at bgpd/bgp_route.c:13040 > FRRouting#7 0x00000000004fa322 in show_ip_bgp (self=0x6752b0 <show_ip_bgp_cmd>, vty=0x1a790d0, argc=3, argv=0x19cb050) at ./bgpd/bgp_route_clippy.c:519 > FRRouting#8 0x00007fdfe033ccc8 in cmd_execute_command_real (vline=0x19c9300, filter=FILTER_RELAXED, vty=0x1a790d0, cmd=0x0, up_level=0) at lib/command.c:996 > FRRouting#9 0x00007fdfe033c739 in cmd_execute_command (vline=0x19c9300, vty=0x1a790d0, cmd=0x0, vtysh=0) at lib/command.c:1056 > FRRouting#10 0x00007fdfe033cdf5 in cmd_execute (vty=0x1a790d0, cmd=0x19c9eb0 "show bgp all", matched=0x0, vtysh=0) at lib/command.c:1223 > FRRouting#11 0x00007fdfe03f65c6 in vty_command (vty=0x1a790d0, buf=0x19c9eb0 "show bgp all") at lib/vty.c:486 > FRRouting#12 0x00007fdfe03f603b in vty_execute (vty=0x1a790d0) at lib/vty.c:1249 > FRRouting#13 0x00007fdfe03f533b in vtysh_read (thread=0x7ffdebc03838) at lib/vty.c:2148 > FRRouting#14 0x00007fdfe03e815d in thread_call (thread=0x7ffdebc03838) at lib/thread.c:2006 > FRRouting#15 0x00007fdfe0379b54 in frr_run (master=0x1246880) at lib/libfrr.c:1198 > FRRouting#16 0x000000000042b2a8 in main (argc=7, argv=0x7ffdebc03af8) at bgpd/bgp_main.c:520 Link: FRRouting#12576 Signed-off-by: Louis Scalbert <[email protected]>

After we call subgroup_announce_check(), we leave communities, large-communities that are modified by route-maps uninterned, and here we have a memory leak. ``` ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323:Direct leak of 80 byte(s) in 2 object(s) allocated from: ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- #0 0x7f0858d90037 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- #1 0x7f08589b15b2 in qcalloc lib/memory.c:105 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#2 0x561f5c4e08d2 in lcommunity_new bgpd/bgp_lcommunity.c:28 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#3 0x561f5c4e11d9 in lcommunity_dup bgpd/bgp_lcommunity.c:141 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#4 0x561f5c5c3b8b in route_set_lcommunity bgpd/bgp_routemap.c:2491 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#5 0x7f0858a177a5 in route_map_apply_ext lib/routemap.c:2675 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#6 0x561f5c5696f9 in subgroup_announce_check bgpd/bgp_route.c:2352 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#7 0x561f5c5fb728 in subgroup_announce_table bgpd/bgp_updgrp_adv.c:682 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#8 0x561f5c5fbd95 in subgroup_announce_route bgpd/bgp_updgrp_adv.c:765 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#9 0x561f5c5f6105 in peer_af_announce_route bgpd/bgp_updgrp.c:2187 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#10 0x561f5c5790be in bgp_announce_route_timer_expired bgpd/bgp_route.c:5032 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#11 0x7f0858a76e4e in thread_call lib/thread.c:1991 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#12 0x7f0858974c24 in frr_run lib/libfrr.c:1185 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#13 0x561f5c3e955d in main bgpd/bgp_main.c:505 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#14 0x7f08583a9d09 in __libc_start_main ../csu/libc-start.c:308 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323:Indirect leak of 144 byte(s) in 2 object(s) allocated from: ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- #0 0x7f0858d8fe8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- #1 0x7f08589b1579 in qmalloc lib/memory.c:100 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#2 0x561f5c4e1282 in lcommunity_dup bgpd/bgp_lcommunity.c:144 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#3 0x561f5c5c3b8b in route_set_lcommunity bgpd/bgp_routemap.c:2491 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#4 0x7f0858a177a5 in route_map_apply_ext lib/routemap.c:2675 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#5 0x561f5c5696f9 in subgroup_announce_check bgpd/bgp_route.c:2352 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#6 0x561f5c5fb728 in subgroup_announce_table bgpd/bgp_updgrp_adv.c:682 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#7 0x561f5c5fbd95 in subgroup_announce_route bgpd/bgp_updgrp_adv.c:765 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#8 0x561f5c5f6105 in peer_af_announce_route bgpd/bgp_updgrp.c:2187 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#9 0x561f5c5790be in bgp_announce_route_timer_expired bgpd/bgp_route.c:5032 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#10 0x7f0858a76e4e in thread_call lib/thread.c:1991 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#11 0x7f0858974c24 in frr_run lib/libfrr.c:1185 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#12 0x561f5c3e955d in main bgpd/bgp_main.c:505 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#13 0x7f08583a9d09 in __libc_start_main ../csu/libc-start.c:308 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323-SUMMARY: AddressSanitizer: 224 byte(s) leaked in 4 allocation(s). ``` Signed-off-by: Donatas Abraitis <[email protected]>

``` donatas-pc# show bgp all detail-routes For address family: IPv4 Unicast BGP table version is 11, local router ID is 192.168.10.17, vrf id 0 Default local pref 100, local AS 65002 BGP routing table entry for 10.0.2.0/24, version 1 Paths: (1 available, best #1, table default) Advertised to non peer-group peers: 192.168.10.124 65001 192.168.10.124 from 192.168.10.124 (200.200.200.202) Origin incomplete, metric 0, valid, external, otc 65001, best (First path received) Last update: Tue Dec 20 12:11:52 2022 BGP routing table entry for 10.10.100.0/24, version 2 Paths: (1 available, best #1, table default) Advertised to non peer-group peers: 192.168.10.124 65001 192.168.10.124 from 192.168.10.124 (200.200.200.202) Origin IGP, metric 0, valid, external, otc 65001, best (First path received) Last update: Tue Dec 20 12:11:52 2022 BGP routing table entry for 172.16.31.1/32, version 3 Paths: (1 available, best #1, table default) Advertised to non peer-group peers: 192.168.10.124 65001 192.168.10.124 from 192.168.10.124 (200.200.200.202) Origin incomplete, metric 0, valid, external, otc 65001, best (First path received) Last update: Tue Dec 20 12:11:52 2022 ``` Signed-off-by: Donatas Abraitis <[email protected]>

``` unet> sh pe2 vtysh -c 'sh ip bgp ipv4 vpn detail-routes' BGP table version is 4, local router ID is 10.10.10.20, vrf id 0 Default local pref 100, local AS 65001 Route Distinguisher: 192.168.2.2:2 BGP routing table entry for 192.168.2.2:2:10.0.0.0/24, version 1 not allocated Paths: (1 available, best #1) Not advertised to any peer 65000 192.168.2.1 from 0.0.0.0 (10.10.10.20) vrf RED(4) announce-nh-self Origin incomplete, metric 0, localpref 50, valid, sourced, local, best (First path received) Extended Community: RT:192.168.2.2:2 Originator: 10.10.10.20 Remote label: 2222 Last update: Tue Dec 20 13:01:20 2022 BGP routing table entry for 192.168.2.2:2:172.16.255.1/32, version 2 not allocated Paths: (1 available, best #1) Not advertised to any peer 65000 192.168.2.1 from 0.0.0.0 (10.10.10.20) vrf RED(4) announce-nh-self Origin incomplete, localpref 50, valid, sourced, local, best (First path received) Extended Community: RT:192.168.2.2:2 Originator: 10.10.10.20 Remote label: 2222 Last update: Tue Dec 20 13:01:20 2022 BGP routing table entry for 192.168.2.2:2:192.168.1.0/24, version 3 not allocated Paths: (1 available, best #1) Not advertised to any peer 65000 192.168.2.1 from 0.0.0.0 (10.10.10.20) vrf RED(4) announce-nh-self Origin incomplete, localpref 50, valid, sourced, local, best (First path received) Extended Community: RT:192.168.2.2:2 Originator: 10.10.10.20 Remote label: 2222 Last update: Tue Dec 20 13:01:20 2022 BGP routing table entry for 192.168.2.2:2:192.168.2.0/24, version 4 not allocated Paths: (1 available, best #1) Not advertised to any peer 65000 192.168.2.1 from 0.0.0.0 (10.10.10.20) vrf RED(4) announce-nh-self Origin incomplete, metric 0, localpref 50, valid, sourced, local, best (First path received) Extended Community: RT:192.168.2.2:2 Originator: 10.10.10.20 Remote label: 2222 Last update: Tue Dec 20 13:01:20 2022 Displayed 4 routes and 4 total paths ``` Signed-off-by: Donatas Abraitis <[email protected]>

Prevent a use after free and tell the bfd subsystem we are shutting down in staticd. ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460:==2264460==ERROR: AddressSanitizer: heap-use-after-free on address 0x61f000004698 at pc 0x7f65d1eb11b2 bp 0x7ffdbface490 sp 0x7ffdbface488 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460-READ of size 4 at 0x61f000004698 thread T0 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- #0 0x7f65d1eb11b1 in zclient_bfd_command lib/bfd.c:307 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- #1 0x7f65d1eb20f5 in _bfd_sess_send lib/bfd.c:507 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- FRRouting#2 0x7f65d20510aa in thread_call lib/thread.c:1989 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- FRRouting#3 0x7f65d2051f0a in _thread_execute lib/thread.c:2081 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- FRRouting#4 0x7f65d1eb271b in _bfd_sess_remove lib/bfd.c:544 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- FRRouting#5 0x7f65d1eb278d in bfd_sess_free lib/bfd.c:553 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- FRRouting#6 0x7f65d1eb5400 in bfd_protocol_integration_finish lib/bfd.c:1029 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- FRRouting#7 0x7f65d1f42f77 in hook_call_frr_fini lib/libfrr.c:41 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- FRRouting#8 0x7f65d1f494a1 in frr_fini lib/libfrr.c:1199 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- FRRouting#9 0x563b7abefd76 in sigint staticd/static_main.c:70 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- FRRouting#10 0x7f65d200ef91 in frr_sigevent_process lib/sigevent.c:115 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- FRRouting#11 0x7f65d204fac6 in thread_fetch lib/thread.c:1758 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- FRRouting#12 0x7f65d1f49377 in frr_run lib/libfrr.c:1184 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- FRRouting#13 0x563b7abefed1 in main staticd/static_main.c:160 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- FRRouting#14 0x7f65d1b92d09 in __libc_start_main ../csu/libc-start.c:308 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- FRRouting#15 0x563b7abefa99 in _start (/usr/lib/frr/staticd+0x15a99) ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- Signed-off-by: Donald Sharp <[email protected]>

Memory leaks are observed in the cleanup code. When “no router bgp" is executed, cleanup in that flow for aggregate-address command is not taken care. fixes the below leak: -- ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444:Direct leak of 152 byte(s) in 1 object(s) allocated from: ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #0 0x7f163e911037 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #1 0x7f163e4b9259 in qcalloc lib/memory.c:105 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#2 0x562bf42ebbd5 in bgp_aggregate_new bgpd/bgp_route.c:7239 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#3 0x562bf42f14e8 in bgp_aggregate_set bgpd/bgp_route.c:8421 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#4 0x562bf42f1e55 in aggregate_addressv6_magic bgpd/bgp_route.c:8592 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#5 0x562bf42be3f5 in aggregate_addressv6 bgpd/bgp_route_clippy.c:341 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#6 0x7f163e3f1e1b in cmd_execute_command_real lib/command.c:988 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#7 0x7f163e3f219c in cmd_execute_command lib/command.c:1048 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#8 0x7f163e3f2df4 in cmd_execute lib/command.c:1215 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#9 0x7f163e5a2d73 in vty_command lib/vty.c:544 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#10 0x7f163e5a79c8 in vty_execute lib/vty.c:1307 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#11 0x7f163e5ad299 in vtysh_read lib/vty.c:2216 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#12 0x7f163e593f16 in event_call lib/event.c:1995 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#13 0x7f163e47c839 in frr_run lib/libfrr.c:1185 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#14 0x562bf414e58d in main bgpd/bgp_main.c:505 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#15 0x7f163de66d09 in __libc_start_main ../csu/libc-start.c:308 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444:Direct leak of 152 byte(s) in 1 object(s) allocated from: ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #0 0x7f163e911037 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #1 0x7f163e4b9259 in qcalloc lib/memory.c:105 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#2 0x562bf42ebbd5 in bgp_aggregate_new bgpd/bgp_route.c:7239 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#3 0x562bf42f14e8 in bgp_aggregate_set bgpd/bgp_route.c:8421 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#4 0x562bf42f1cde in aggregate_addressv4_magic bgpd/bgp_route.c:8543 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#5 0x562bf42bd258 in aggregate_addressv4 bgpd/bgp_route_clippy.c:255 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#6 0x7f163e3f1e1b in cmd_execute_command_real lib/command.c:988 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#7 0x7f163e3f219c in cmd_execute_command lib/command.c:1048 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#8 0x7f163e3f2df4 in cmd_execute lib/command.c:1215 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#9 0x7f163e5a2d73 in vty_command lib/vty.c:544 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#10 0x7f163e5a79c8 in vty_execute lib/vty.c:1307 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#11 0x7f163e5ad299 in vtysh_read lib/vty.c:2216 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#12 0x7f163e593f16 in event_call lib/event.c:1995 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#13 0x7f163e47c839 in frr_run lib/libfrr.c:1185 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#14 0x562bf414e58d in main bgpd/bgp_main.c:505 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#15 0x7f163de66d09 in __libc_start_main ../csu/libc-start.c:308 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444-SUMMARY: AddressSanitizer: 304 byte(s) leaked in 2 allocation(s). Signed-off-by: Samanvitha B Bhargav <[email protected]>

two things: On shutdown cleanup any events associated with the update walker. Also do not allow new events to be created. Fixes this mem-leak: ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790:Direct leak of 8 byte(s) in 1 object(s) allocated from: ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790- #0 0x7f0dd0b08037 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790- #1 0x7f0dd06c19f9 in qcalloc lib/memory.c:105 ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790- FRRouting#2 0x55b42fb605bc in rib_update_ctx_init zebra/zebra_rib.c:4383 ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790- FRRouting#3 0x55b42fb6088f in rib_update zebra/zebra_rib.c:4421 ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790- FRRouting#4 0x55b42fa00344 in netlink_link_change zebra/if_netlink.c:2221 ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790- FRRouting#5 0x55b42fa24622 in netlink_information_fetch zebra/kernel_netlink.c:399 ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790- FRRouting#6 0x55b42fa28c02 in netlink_parse_info zebra/kernel_netlink.c:1183 ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790- FRRouting#7 0x55b42fa24951 in kernel_read zebra/kernel_netlink.c:493 ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790- FRRouting#8 0x7f0dd0797f0c in event_call lib/event.c:1995 ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790- FRRouting#9 0x7f0dd0684fd9 in frr_run lib/libfrr.c:1185 ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790- FRRouting#10 0x55b42fa30caa in main zebra/main.c:465 ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790- FRRouting#11 0x7f0dd01b5d09 in __libc_start_main ../csu/libc-start.c:308 ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790- ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790-SUMMARY: AddressSanitizer: 8 byte(s) leaked in 1 allocation(s). Signed-off-by: Donald Sharp <[email protected]>

@NNN

kttps://datatracker.ietf.org/doc/html/draft-ietf-idr-node-target-ext-comm unet> sh r1 vtysh -c 'sh ip bgp nei 192.168.1.2 adver' BGP table version is 1, local router ID is 192.168.1.1, vrf id 0 Default local pref 100, local AS 65001 Status codes: s suppressed, d damped, h history, * valid, > best, = multipath, i internal, r RIB-failure, S Stale, R Removed Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *> 10.10.10.10/32 0.0.0.0 0 32768 i Total number of prefixes 1 unet> sh r1 vtysh -c 'sh ip bgp nei 192.168.1.3 adver' BGP table version is 1, local router ID is 192.168.1.1, vrf id 0 Default local pref 100, local AS 65001 Status codes: s suppressed, d damped, h history, * valid, > best, = multipath, i internal, r RIB-failure, S Stale, R Removed Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *> 10.10.10.10/32 0.0.0.0 0 32768 i Total number of prefixes 1 unet> sh r2 vtysh -c 'show ip bgp 10.10.10.10/32' % Network not in table unet> sh r3 vtysh -c 'show ip bgp 10.10.10.10/32' BGP routing table entry for 10.10.10.10/32, version 1 Paths: (1 available, best #1, table default) Advertised to non peer-group peers: 192.168.1.1 65001 192.168.1.1 from 192.168.1.1 (192.168.1.1) Origin IGP, metric 0, valid, external, best (First path received) Extended Community: NT:192.168.1.3 NT:192.168.1.4 Last update: Tue Apr 11 23:19:33 2023 unet> Signed-off-by: Donatas Abraitis <[email protected]>

cscarpitta · 2023-05-08T11:34:38Z

bgpd/bgp_vty.c

+	afi = vpn_policy_getafi(vty, bgp, true);
+	if (afi == AFI_MAX)
+		return CMD_WARNING_CONFIG_FAILED;


I suggest to replace these lines with something like this:

afi = bgp_node_afi(vty); safi = bgp_node_safi(vty); if ((SAFI_UNICAST != safi) || ((AFI_IP != afi) && (AFI_IP6 != afi))) { vty_out(vty, "%% redistribute vrf is valid only for unicast ipv4|ipv6\n"); return CMD_WARNING_CONFIG_FAILED; }

and leave the vpn_policy_getafi function unchanged.

This should be equivalent to your implementation, but it doesn't change the vpn_policy_getafi function which is used in some other places.

Done for this. Thanks for your comments.

cscarpitta · 2023-05-15T15:02:18Z

bgpd/bgp_vty.c

 		return AFI_MAX;
 	}
-
+#if 0


Now the function vpn_policy_getafi() is never called from your code, right?

I think there is no reason to change it. Can we remove the #if 0 directive and leave vpn_policy_getafi() unchanged?

Ok... I'm sorry, I forgot to restore it.

Example configuration: router bgp 100 vrf vrf-1 address-family ipv4 unicast rd vpn export 1:1 rt vpn both 1:1 export vpn import vpn redistribute vrf vrf-2 exit-address-family ! ! router bgp 100 vrf vrf-2 neighbor 2.2.2.2 remote-as 1 address-family ipv4 unicast rd vpn export 2:2 rt vpn both 2:2 neighbor 2.2.2.2 activate exit-address-family ! ! BGP routes learned from the neighbor 2.2.2.2 under VRF-1 can be directly copied to the BGP under VRF-1 without carrying the RD and RT attributes of VRF-1. After being copied to VRF-1, the routes will be sent to VPN with the RD 1:1 and RT 1:1 attributes, forming BGP-VPN routes. Signed-off-by: Jack.Zhang <[email protected]>

Signed-off-by: Jack.Zhang <[email protected]>

This commit adds a new test case.The new test case performs three operations: install routes in vrf1. set redistribute vrf vrf1 command on vrf2. check the copying routes by vrf1 in vrf2. Signed-off-by: Jack.Zhang <[email protected]>

This commit addresses a memory leak issue in the BGP Flowspec NLRI parsing function. Previously when processing NLRI, dynamically allocated memory to `temp` was not being freed, leading to a memory leak. The commit introduces the necessary code (XFREE) to properly free the temp memory after processing Flowspec NLRI. The ASan leak log for reference: ``` ./bgp_flowspec.test_bgp_flowspec_topo/r1.bgpd.asan.687689:Direct leak of 56 byte(s) in 2 object(s) allocated from: ./bgp_flowspec.test_bgp_flowspec_topo/r1.bgpd.asan.687689- #0 0x7fc9872b5037 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 ./bgp_flowspec.test_bgp_flowspec_topo/r1.bgpd.asan.687689- #1 0x7fc986e5b1ee in qcalloc lib/memory.c:105 ./bgp_flowspec.test_bgp_flowspec_topo/r1.bgpd.asan.687689- FRRouting#2 0x560421351bfe in bgp_nlri_parse_flowspec bgpd/bgp_flowspec.c:155 ./bgp_flowspec.test_bgp_flowspec_topo/r1.bgpd.asan.687689- FRRouting#3 0x56042107d01c in bgp_nlri_parse bgpd/bgp_packet.c:350 ./bgp_flowspec.test_bgp_flowspec_topo/r1.bgpd.asan.687689- FRRouting#4 0x560421086cf3 in bgp_update_receive bgpd/bgp_packet.c:2023 ./bgp_flowspec.test_bgp_flowspec_topo/r1.bgpd.asan.687689- FRRouting#5 0x56042108deed in bgp_process_packet bgpd/bgp_packet.c:2933 ./bgp_flowspec.test_bgp_flowspec_topo/r1.bgpd.asan.687689- FRRouting#6 0x7fc986f35bf7 in event_call lib/event.c:1995 ./bgp_flowspec.test_bgp_flowspec_topo/r1.bgpd.asan.687689- FRRouting#7 0x7fc986e1e99d in frr_run lib/libfrr.c:1185 ./bgp_flowspec.test_bgp_flowspec_topo/r1.bgpd.asan.687689- FRRouting#8 0x560420f3f59d in main bgpd/bgp_main.c:505 ./bgp_flowspec.test_bgp_flowspec_topo/r1.bgpd.asan.687689- FRRouting#9 0x7fc986805d09 in __libc_start_main ../csu/libc-start.c:308 ``` Signed-off-by: Keelan Cannoo <[email protected]>

Fixes a crash associated with attempting to read beyond the end of the stream when parsing ASLA Sub-TLV. ``` Program received signal SIGABRT, Aborted. __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. (gdb) bt #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 #1 0x00007ffff7830859 in __GI_abort () at abort.c:79 FRRouting#2 0x00007ffff7d51321 in _zlog_assert_failed (xref=xref@entry=0x7ffff7e306c0 <_xref.19624>, extra=extra@entry=0x0) at lib/zlog.c:667 FRRouting#3 0x00007ffff7ca802c in stream_getc (s=0x55555593d2a0) at lib/stream.c:353 FRRouting#4 0x00005555556421eb in unpack_item_ext_subtlv_asla (mtid=<optimized out>, exts=<optimized out>, indent=<optimized out>, log=<optimized out>, s=<optimized out>, subtlv_len=13 '\r') at isisd/isis_tlvs.c:1473 FRRouting#5 unpack_item_ext_subtlvs (indent=10, dest=0x555555940ca0, log=0x55555593af40 <logbuf>, s=0x55555593d2a0, len=16 '\020', mtid=2404) at isisd/isis_tlvs.c:2077 FRRouting#6 unpack_item_extended_reach (mtid=2404, len=<optimized out>, s=0x55555593d2a0, log=0x55555593af40 <logbuf>, dest=<optimized out>, indent=6) at isisd/isis_tlvs.c:3264 FRRouting#7 0x0000555555617bed in unpack_item (indent=6, dest=<optimized out>, log=<optimized out>, s=<optimized out>, len=<optimized out>, tlv_type=<optimized out>, context=<optimized out>, mtid=<optimized out>) at isisd/isis_tlvs.c:6078 FRRouting#8 unpack_tlv_with_items (context=<optimized out>, tlv_type=<optimized out>, tlv_len=80 'P', s=0x55555593d2a0, log=0x55555593af40 <logbuf>, dest=<optimized out>, indent=4) at isisd/isis_tlvs.c:6142 FRRouting#9 0x0000555555616f9a in unpack_tlv (unpacked_known_tlvs=<optimized out>, indent=2, dest=<optimized out>, log=0x55555593af40 <logbuf>, stream=<optimized out>, avail_len=<optimized out>, context=<optimized out>) at isisd/isis_tlvs.c:7032 FRRouting#10 unpack_tlvs (context=ISIS_CONTEXT_LSP, avail_len=97, stream=0x55555593d2a0, log=0x55555593af40 <logbuf>, dest=0x5555559408d0, indent=0, unpacked_known_tlvs=0x0) at isisd/isis_tlvs.c:7054 FRRouting#11 0x0000555555647ea8 in isis_unpack_tlvs (avail_len=97, stream=0x55555593d2a0, dest=0x7fffffffd7c8, log=0x7fffffffd7d0) at isisd/isis_tlvs.c:7085 FRRouting#12 0x000055555559c278 in test (input=0x7ffff79fa980 <_IO_2_1_stdin_>, output=0x7ffff79fb6a0 <_IO_2_1_stdout_>) at tests/isisd/test_fuzz_isis_tlv.c:101 FRRouting#13 0x0000555555598f0b in main (argc=<optimized out>, argv=<optimized out>) at tests/isisd/test_fuzz_isis_tlv_tests.h:4270 (gdb) ``` Caught by fuzzer. Signed-off-by: Carmine Scarpitta <[email protected]>

When `dplane_fpm_nl` receives a route, it allocates memory for a dplane context and calls `netlink_route_change_read_unicast_internal` without initializing the `intf_extra_list` contained in the dplane context. If `netlink_route_change_read_unicast_internal` is not able to process the route, we call `dplane_ctx_fini` to free the dplane context. This causes a crash because `dplane_ctx_fini` attempts to access the intf_extra_list which is not initialized. To solve this issue, we can call `dplane_ctx_route_init`to initialize the dplane route context properly, just after the dplane context allocation. (gdb) bt #0 0x0000555dd5ceae80 in dplane_intf_extra_list_pop (h=0x7fae1c007e68) at ../zebra/zebra_dplane.c:427 #1 dplane_ctx_free_internal (ctx=0x7fae1c0074b0) at ../zebra/zebra_dplane.c:724 FRRouting#2 0x0000555dd5cebc99 in dplane_ctx_free (pctx=0x7fae2aa88c98) at ../zebra/zebra_dplane.c:869 FRRouting#3 dplane_ctx_free (pctx=0x7fae2aa88c98, pctx@entry=0x7fae2aa78c28) at ../zebra/zebra_dplane.c:855 FRRouting#4 dplane_ctx_fini (pctx=pctx@entry=0x7fae2aa88c98) at ../zebra/zebra_dplane.c:890 FRRouting#5 0x00007fae31e93f29 in fpm_read (t=) at ../zebra/dplane_fpm_nl.c:605 FRRouting#6 0x00007fae325191dd in thread_call (thread=thread@entry=0x7fae2aa98da0) at ../lib/thread.c:2006 FRRouting#7 0x00007fae324c42b8 in fpt_run (arg=0x555dd74777c0) at ../lib/frr_pthread.c:309 FRRouting#8 0x00007fae32405ea7 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0 FRRouting#9 0x00007fae32325a2f in clone () from /lib/x86_64-linux-gnu/libc.so.6 Fixes: FRRouting#13754 Signed-off-by: Carmine Scarpitta <[email protected]>

…args ==13211==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000af158 at pc 0x55d48c5f1e38 bp 0x7fffd8a713d0 sp 0x7fffd8a713c0 READ of size 8 at 0x6020000af158 thread T0 #0 0x55d48c5f1e37 in rip_allow_ecmp ripd/rip_cli.c:98 #1 0x7f2ec125aa0f in cmd_execute_command_real lib/command.c:990 FRRouting#2 0x7f2ec125ae90 in cmd_execute_command lib/command.c:1049 FRRouting#3 0x7f2ec125b406 in cmd_execute lib/command.c:1217 FRRouting#4 0x7f2ec137ca36 in vty_command lib/vty.c:551 FRRouting#5 0x7f2ec137ce52 in vty_execute lib/vty.c:1314 FRRouting#6 0x7f2ec1384f9e in vtysh_read lib/vty.c:2223 FRRouting#7 0x7f2ec137041b in event_call lib/event.c:1995 FRRouting#8 0x7f2ec12b54bf in frr_run lib/libfrr.c:1204 FRRouting#9 0x55d48c5f0f32 in main ripd/rip_main.c:171 FRRouting#10 0x7f2ec0ad9c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) FRRouting#11 0x55d48c5f1349 in _start (/usr/lib/frr/ripd+0x3b349) 0x6020000af158 is located 0 bytes to the right of 8-byte region [0x6020000af150,0x6020000af158) allocated by thread T0 here: #0 0x7f2ec18ccb40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) #1 0x7f2ec12d2e41 in qmalloc lib/memory.c:100 FRRouting#2 0x7f2ec125a815 in cmd_execute_command_real lib/command.c:955 FRRouting#3 0x7f2ec125ae90 in cmd_execute_command lib/command.c:1049 FRRouting#4 0x7f2ec125b406 in cmd_execute lib/command.c:1217 FRRouting#5 0x7f2ec137ca36 in vty_command lib/vty.c:551 FRRouting#6 0x7f2ec137ce52 in vty_execute lib/vty.c:1314 FRRouting#7 0x7f2ec1384f9e in vtysh_read lib/vty.c:2223 FRRouting#8 0x7f2ec137041b in event_call lib/event.c:1995 FRRouting#9 0x7f2ec12b54bf in frr_run lib/libfrr.c:1204 FRRouting#10 0x55d48c5f0f32 in main ripd/rip_main.c:171 FRRouting#11 0x7f2ec0ad9c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) SUMMARY: AddressSanitizer: heap-buffer-overflow ripd/rip_cli.c:98 in rip_allow_ecmp Shadow bytes around the buggy address: 0x0c048000ddd0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa 0x0c048000dde0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd 0x0c048000ddf0: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd 0x0c048000de00: fa fa fd fa fa fa fd fd fa fa 00 03 fa fa fd fa 0x0c048000de10: fa fa fd fa fa fa 00 00 fa fa fd fa fa fa 00 03 =>0x0c048000de20: fa fa 00 03 fa fa fd fa fa fa 00[fa]fa fa fa fa 0x0c048000de30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c048000de40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c048000de50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c048000de60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c048000de70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==13211==ABORTING Signed-off-by: Donatas Abraitis <[email protected]>

This commit addresses a memory leak issue in the BGP Flowspec NLRI parsing function. Previously when processing NLRI, dynamically allocated memory to `temp` was not being freed, leading to a memory leak. The commit introduces the necessary code (XFREE) to properly free the temp memory after processing Flowspec NLRI. The ASan leak log for reference: ``` ./bgp_flowspec.test_bgp_flowspec_topo/r1.bgpd.asan.687689:Direct leak of 56 byte(s) in 2 object(s) allocated from: ./bgp_flowspec.test_bgp_flowspec_topo/r1.bgpd.asan.687689- #0 0x7fc9872b5037 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 ./bgp_flowspec.test_bgp_flowspec_topo/r1.bgpd.asan.687689- #1 0x7fc986e5b1ee in qcalloc lib/memory.c:105 ./bgp_flowspec.test_bgp_flowspec_topo/r1.bgpd.asan.687689- FRRouting#2 0x560421351bfe in bgp_nlri_parse_flowspec bgpd/bgp_flowspec.c:155 ./bgp_flowspec.test_bgp_flowspec_topo/r1.bgpd.asan.687689- FRRouting#3 0x56042107d01c in bgp_nlri_parse bgpd/bgp_packet.c:350 ./bgp_flowspec.test_bgp_flowspec_topo/r1.bgpd.asan.687689- FRRouting#4 0x560421086cf3 in bgp_update_receive bgpd/bgp_packet.c:2023 ./bgp_flowspec.test_bgp_flowspec_topo/r1.bgpd.asan.687689- FRRouting#5 0x56042108deed in bgp_process_packet bgpd/bgp_packet.c:2933 ./bgp_flowspec.test_bgp_flowspec_topo/r1.bgpd.asan.687689- FRRouting#6 0x7fc986f35bf7 in event_call lib/event.c:1995 ./bgp_flowspec.test_bgp_flowspec_topo/r1.bgpd.asan.687689- FRRouting#7 0x7fc986e1e99d in frr_run lib/libfrr.c:1185 ./bgp_flowspec.test_bgp_flowspec_topo/r1.bgpd.asan.687689- FRRouting#8 0x560420f3f59d in main bgpd/bgp_main.c:505 ./bgp_flowspec.test_bgp_flowspec_topo/r1.bgpd.asan.687689- FRRouting#9 0x7fc986805d09 in __libc_start_main ../csu/libc-start.c:308 ``` Signed-off-by: Keelan Cannoo <[email protected]>

When `dplane_fpm_nl` receives a route, it allocates memory for a dplane context and calls `netlink_route_change_read_unicast_internal` without initializing the `intf_extra_list` contained in the dplane context. If `netlink_route_change_read_unicast_internal` is not able to process the route, we call `dplane_ctx_fini` to free the dplane context. This causes a crash because `dplane_ctx_fini` attempts to access the intf_extra_list which is not initialized. To solve this issue, we can call `dplane_ctx_route_init`to initialize the dplane route context properly, just after the dplane context allocation. (gdb) bt #0 0x0000555dd5ceae80 in dplane_intf_extra_list_pop (h=0x7fae1c007e68) at ../zebra/zebra_dplane.c:427 #1 dplane_ctx_free_internal (ctx=0x7fae1c0074b0) at ../zebra/zebra_dplane.c:724 FRRouting#2 0x0000555dd5cebc99 in dplane_ctx_free (pctx=0x7fae2aa88c98) at ../zebra/zebra_dplane.c:869 FRRouting#3 dplane_ctx_free (pctx=0x7fae2aa88c98, pctx@entry=0x7fae2aa78c28) at ../zebra/zebra_dplane.c:855 FRRouting#4 dplane_ctx_fini (pctx=pctx@entry=0x7fae2aa88c98) at ../zebra/zebra_dplane.c:890 FRRouting#5 0x00007fae31e93f29 in fpm_read (t=) at ../zebra/dplane_fpm_nl.c:605 FRRouting#6 0x00007fae325191dd in thread_call (thread=thread@entry=0x7fae2aa98da0) at ../lib/thread.c:2006 FRRouting#7 0x00007fae324c42b8 in fpt_run (arg=0x555dd74777c0) at ../lib/frr_pthread.c:309 FRRouting#8 0x00007fae32405ea7 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0 FRRouting#9 0x00007fae32325a2f in clone () from /lib/x86_64-linux-gnu/libc.so.6 Fixes: FRRouting#13754 Signed-off-by: Carmine Scarpitta <[email protected]>

This commit ensures proper cleanup by deleting the gm_join_list when a PIM interface is deleted. The gm_join_list was previously not being freed, causing a memory leak. The ASan leak log for reference: ``` *********************************************************************************** Address Sanitizer Error detected in multicast_mld_join_topo1.test_multicast_mld_local_join/r1.asan.pim6d.28070 ================================================================= ==28070==ERROR: LeakSanitizer: detected memory leaks Direct leak of 40 byte(s) in 1 object(s) allocated from: #0 0x7f3605dbfd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x56230373dd6b in qcalloc lib/memory.c:105 FRRouting#2 0x56230372180f in list_new lib/linklist.c:49 FRRouting#3 0x56230361b589 in pim_if_gm_join_add pimd/pim_iface.c:1313 FRRouting#4 0x562303642247 in lib_interface_gmp_address_family_static_group_create pimd/pim_nb_config.c:2868 FRRouting#5 0x562303767280 in nb_callback_create lib/northbound.c:1235 FRRouting#6 0x562303767280 in nb_callback_configuration lib/northbound.c:1579 FRRouting#7 0x562303768a1d in nb_transaction_process lib/northbound.c:1710 FRRouting#8 0x56230376904a in nb_candidate_commit_apply lib/northbound.c:1104 FRRouting#9 0x5623037692ba in nb_candidate_commit lib/northbound.c:1137 FRRouting#10 0x562303769dec in nb_cli_classic_commit lib/northbound_cli.c:49 FRRouting#11 0x56230376fb79 in nb_cli_pending_commit_check lib/northbound_cli.c:88 FRRouting#12 0x5623036c5bcb in cmd_execute_command_real lib/command.c:991 FRRouting#13 0x5623036c5f1b in cmd_execute_command lib/command.c:1053 FRRouting#14 0x5623036c6392 in cmd_execute lib/command.c:1221 FRRouting#15 0x5623037e75da in vty_command lib/vty.c:591 FRRouting#16 0x5623037e7a74 in vty_execute lib/vty.c:1354 FRRouting#17 0x5623037f0253 in vtysh_read lib/vty.c:2362 FRRouting#18 0x5623037db4e8 in event_call lib/event.c:1995 FRRouting#19 0x562303720f97 in frr_run lib/libfrr.c:1213 FRRouting#20 0x56230368615d in main pimd/pim6_main.c:184 FRRouting#21 0x7f360461bc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 192 byte(s) in 4 object(s) allocated from: #0 0x7f3605dbfd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x56230373dd6b in qcalloc lib/memory.c:105 FRRouting#2 0x56230361b91d in gm_join_new pimd/pim_iface.c:1288 FRRouting#3 0x56230361b91d in pim_if_gm_join_add pimd/pim_iface.c:1326 FRRouting#4 0x562303642247 in lib_interface_gmp_address_family_static_group_create pimd/pim_nb_config.c:2868 FRRouting#5 0x562303767280 in nb_callback_create lib/northbound.c:1235 FRRouting#6 0x562303767280 in nb_callback_configuration lib/northbound.c:1579 FRRouting#7 0x562303768a1d in nb_transaction_process lib/northbound.c:1710 FRRouting#8 0x56230376904a in nb_candidate_commit_apply lib/northbound.c:1104 FRRouting#9 0x5623037692ba in nb_candidate_commit lib/northbound.c:1137 FRRouting#10 0x562303769dec in nb_cli_classic_commit lib/northbound_cli.c:49 FRRouting#11 0x56230376fb79 in nb_cli_pending_commit_check lib/northbound_cli.c:88 FRRouting#12 0x5623036c5bcb in cmd_execute_command_real lib/command.c:991 FRRouting#13 0x5623036c5f1b in cmd_execute_command lib/command.c:1053 FRRouting#14 0x5623036c6392 in cmd_execute lib/command.c:1221 FRRouting#15 0x5623037e75da in vty_command lib/vty.c:591 FRRouting#16 0x5623037e7a74 in vty_execute lib/vty.c:1354 FRRouting#17 0x5623037f0253 in vtysh_read lib/vty.c:2362 FRRouting#18 0x5623037db4e8 in event_call lib/event.c:1995 FRRouting#19 0x562303720f97 in frr_run lib/libfrr.c:1213 FRRouting#20 0x56230368615d in main pimd/pim6_main.c:184 FRRouting#21 0x7f360461bc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 96 byte(s) in 4 object(s) allocated from: #0 0x7f3605dbfd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x56230373dd6b in qcalloc lib/memory.c:105 FRRouting#2 0x562303721651 in listnode_new lib/linklist.c:71 FRRouting#3 0x56230372182b in listnode_add lib/linklist.c:92 FRRouting#4 0x56230361ba9a in gm_join_new pimd/pim_iface.c:1295 FRRouting#5 0x56230361ba9a in pim_if_gm_join_add pimd/pim_iface.c:1326 FRRouting#6 0x562303642247 in lib_interface_gmp_address_family_static_group_create pimd/pim_nb_config.c:2868 FRRouting#7 0x562303767280 in nb_callback_create lib/northbound.c:1235 FRRouting#8 0x562303767280 in nb_callback_configuration lib/northbound.c:1579 FRRouting#9 0x562303768a1d in nb_transaction_process lib/northbound.c:1710 FRRouting#10 0x56230376904a in nb_candidate_commit_apply lib/northbound.c:1104 FRRouting#11 0x5623037692ba in nb_candidate_commit lib/northbound.c:1137 FRRouting#12 0x562303769dec in nb_cli_classic_commit lib/northbound_cli.c:49 FRRouting#13 0x56230376fb79 in nb_cli_pending_commit_check lib/northbound_cli.c:88 FRRouting#14 0x5623036c5bcb in cmd_execute_command_real lib/command.c:991 FRRouting#15 0x5623036c5f1b in cmd_execute_command lib/command.c:1053 FRRouting#16 0x5623036c6392 in cmd_execute lib/command.c:1221 FRRouting#17 0x5623037e75da in vty_command lib/vty.c:591 FRRouting#18 0x5623037e7a74 in vty_execute lib/vty.c:1354 FRRouting#19 0x5623037f0253 in vtysh_read lib/vty.c:2362 FRRouting#20 0x5623037db4e8 in event_call lib/event.c:1995 FRRouting#21 0x562303720f97 in frr_run lib/libfrr.c:1213 FRRouting#22 0x56230368615d in main pimd/pim6_main.c:184 FRRouting#23 0x7f360461bc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 48 byte(s) in 1 object(s) allocated from: #0 0x7f3605dbfd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x56230373dd6b in qcalloc lib/memory.c:105 FRRouting#2 0x56230361b91d in gm_join_new pimd/pim_iface.c:1288 FRRouting#3 0x56230361b91d in pim_if_gm_join_add pimd/pim_iface.c:1326 FRRouting#4 0x562303642247 in lib_interface_gmp_address_family_static_group_create pimd/pim_nb_config.c:2868 FRRouting#5 0x562303767280 in nb_callback_create lib/northbound.c:1235 FRRouting#6 0x562303767280 in nb_callback_configuration lib/northbound.c:1579 FRRouting#7 0x562303768a1d in nb_transaction_process lib/northbound.c:1710 FRRouting#8 0x56230376904a in nb_candidate_commit_apply lib/northbound.c:1104 FRRouting#9 0x5623037692ba in nb_candidate_commit lib/northbound.c:1137 FRRouting#10 0x562303769dec in nb_cli_classic_commit lib/northbound_cli.c:49 FRRouting#11 0x56230376fb79 in nb_cli_pending_commit_check lib/northbound_cli.c:88 FRRouting#12 0x5623036c5bcb in cmd_execute_command_real lib/command.c:991 FRRouting#13 0x5623036c5f6f in cmd_execute_command lib/command.c:1072 FRRouting#14 0x5623036c6392 in cmd_execute lib/command.c:1221 FRRouting#15 0x5623037e75da in vty_command lib/vty.c:591 FRRouting#16 0x5623037e7a74 in vty_execute lib/vty.c:1354 FRRouting#17 0x5623037f0253 in vtysh_read lib/vty.c:2362 FRRouting#18 0x5623037db4e8 in event_call lib/event.c:1995 FRRouting#19 0x562303720f97 in frr_run lib/libfrr.c:1213 FRRouting#20 0x56230368615d in main pimd/pim6_main.c:184 FRRouting#21 0x7f360461bc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 24 byte(s) in 1 object(s) allocated from: #0 0x7f3605dbfd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x56230373dd6b in qcalloc lib/memory.c:105 FRRouting#2 0x562303721651 in listnode_new lib/linklist.c:71 FRRouting#3 0x56230372182b in listnode_add lib/linklist.c:92 FRRouting#4 0x56230361ba9a in gm_join_new pimd/pim_iface.c:1295 FRRouting#5 0x56230361ba9a in pim_if_gm_join_add pimd/pim_iface.c:1326 FRRouting#6 0x562303642247 in lib_interface_gmp_address_family_static_group_create pimd/pim_nb_config.c:2868 FRRouting#7 0x562303767280 in nb_callback_create lib/northbound.c:1235 FRRouting#8 0x562303767280 in nb_callback_configuration lib/northbound.c:1579 FRRouting#9 0x562303768a1d in nb_transaction_process lib/northbound.c:1710 FRRouting#10 0x56230376904a in nb_candidate_commit_apply lib/northbound.c:1104 FRRouting#11 0x5623037692ba in nb_candidate_commit lib/northbound.c:1137 FRRouting#12 0x562303769dec in nb_cli_classic_commit lib/northbound_cli.c:49 FRRouting#13 0x56230376fb79 in nb_cli_pending_commit_check lib/northbound_cli.c:88 FRRouting#14 0x5623036c5bcb in cmd_execute_command_real lib/command.c:991 FRRouting#15 0x5623036c5f6f in cmd_execute_command lib/command.c:1072 FRRouting#16 0x5623036c6392 in cmd_execute lib/command.c:1221 FRRouting#17 0x5623037e75da in vty_command lib/vty.c:591 FRRouting#18 0x5623037e7a74 in vty_execute lib/vty.c:1354 FRRouting#19 0x5623037f0253 in vtysh_read lib/vty.c:2362 FRRouting#20 0x5623037db4e8 in event_call lib/event.c:1995 FRRouting#21 0x562303720f97 in frr_run lib/libfrr.c:1213 FRRouting#22 0x56230368615d in main pimd/pim6_main.c:184 FRRouting#23 0x7f360461bc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) SUMMARY: AddressSanitizer: 400 byte(s) leaked in 11 allocation(s). *********************************************************************************** ``` Signed-off-by: Keelan Cannoo <[email protected]>

Memory leaks started flowing: ``` AddressSanitizer Topotests Part 0: 15 KB -> 283 KB AddressSanitizer Topotests Part 1: 1 KB -> 495 KB AddressSanitizer Topotests Part 2: 13 KB -> 478 KB AddressSanitizer Topotests Part 3: 39 KB -> 213 KB AddressSanitizer Topotests Part 4: 30 KB -> 836 KB AddressSanitizer Topotests Part 5: 0 bytes -> 356 KB AddressSanitizer Topotests Part 6: 86 KB -> 783 KB AddressSanitizer Topotests Part 7: 0 bytes -> 354 KB AddressSanitizer Topotests Part 8: 0 bytes -> 62 KB AddressSanitizer Topotests Part 9: 408 KB -> 518 KB ``` ``` Direct leak of 3584 byte(s) in 1 object(s) allocated from: #0 0x7f1957b02d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x559895c55df0 in qcalloc lib/memory.c:105 FRRouting#2 0x559895bc1cdf in zserv_client_create zebra/zserv.c:743 FRRouting#3 0x559895bc1cdf in zserv_accept zebra/zserv.c:880 FRRouting#4 0x559895cf3438 in event_call lib/event.c:1995 FRRouting#5 0x559895c3901c in frr_run lib/libfrr.c:1213 FRRouting#6 0x559895a698f1 in main zebra/main.c:472 FRRouting#7 0x7f195635ec86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) ``` Fixes b20acd0 ("bgpd: Use synchronous way to get labels from Zebra") Signed-off-by: Donatas Abraitis <[email protected]>

The loading_done event needs a event pointer to prevent use after free's. Testing found this: ERROR: AddressSanitizer: heap-use-after-free on address 0x613000035130 at pc 0x55ad42d54e5f bp 0x7ffff1e942a0 sp 0x7ffff1e94290 READ of size 1 at 0x613000035130 thread T0 #0 0x55ad42d54e5e in loading_done ospf6d/ospf6_neighbor.c:447 #1 0x55ad42ed7be4 in event_call lib/event.c:1995 FRRouting#2 0x55ad42e1df75 in frr_run lib/libfrr.c:1213 FRRouting#3 0x55ad42cf332e in main ospf6d/ospf6_main.c:250 FRRouting#4 0x7f5798133c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) FRRouting#5 0x55ad42cf2b19 in _start (/usr/lib/frr/ospf6d+0x248b19) 0x613000035130 is located 48 bytes inside of 384-byte region [0x613000035100,0x613000035280) freed by thread T0 here: #0 0x7f57998d77a8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8) #1 0x55ad42e3b4b6 in qfree lib/memory.c:130 FRRouting#2 0x55ad42d5d049 in ospf6_neighbor_delete ospf6d/ospf6_neighbor.c:180 FRRouting#3 0x55ad42d1e1ea in interface_down ospf6d/ospf6_interface.c:930 FRRouting#4 0x55ad42ed7be4 in event_call lib/event.c:1995 FRRouting#5 0x55ad42ed84fe in _event_execute lib/event.c:2086 FRRouting#6 0x55ad42d26d7b in ospf6_interface_clear ospf6d/ospf6_interface.c:2847 FRRouting#7 0x55ad42d73f16 in ospf6_process_reset ospf6d/ospf6_top.c:755 FRRouting#8 0x55ad42d7e98c in clear_router_ospf6_magic ospf6d/ospf6_top.c:778 FRRouting#9 0x55ad42d7e98c in clear_router_ospf6 ospf6d/ospf6_top_clippy.c:42 FRRouting#10 0x55ad42dc2665 in cmd_execute_command_real lib/command.c:994 FRRouting#11 0x55ad42dc2b32 in cmd_execute_command lib/command.c:1053 FRRouting#12 0x55ad42dc2fa9 in cmd_execute lib/command.c:1221 FRRouting#13 0x55ad42ee3cd6 in vty_command lib/vty.c:591 FRRouting#14 0x55ad42ee4170 in vty_execute lib/vty.c:1354 FRRouting#15 0x55ad42eec94f in vtysh_read lib/vty.c:2362 FRRouting#16 0x55ad42ed7be4 in event_call lib/event.c:1995 FRRouting#17 0x55ad42e1df75 in frr_run lib/libfrr.c:1213 FRRouting#18 0x55ad42cf332e in main ospf6d/ospf6_main.c:250 FRRouting#19 0x7f5798133c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) previously allocated by thread T0 here: #0 0x7f57998d7d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x55ad42e3ab22 in qcalloc lib/memory.c:105 FRRouting#2 0x55ad42d5c8ff in ospf6_neighbor_create ospf6d/ospf6_neighbor.c:119 FRRouting#3 0x55ad42d4c86a in ospf6_hello_recv ospf6d/ospf6_message.c:464 FRRouting#4 0x55ad42d4c86a in ospf6_read_helper ospf6d/ospf6_message.c:1884 FRRouting#5 0x55ad42d4c86a in ospf6_receive ospf6d/ospf6_message.c:1925 FRRouting#6 0x55ad42ed7be4 in event_call lib/event.c:1995 FRRouting#7 0x55ad42e1df75 in frr_run lib/libfrr.c:1213 FRRouting#8 0x55ad42cf332e in main ospf6d/ospf6_main.c:250 FRRouting#9 0x7f5798133c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Add an actual event pointer and just track it appropriately. Signed-off-by: Donald Sharp <[email protected]>

The function ospf6_router_lsa_contains_adj(), ospf6_gr_check_adjs() and ospf6_find_interf_prefix_lsa() iterate through LSDB and lock each LSA. During testing, it was discovered that the lock count did not reach zero upon termination. The stack trace below indicates the leak. To resolve this issue, it was found that unlocking the LSA before returning from the functions solves the problem. This suggests that there was a missing unlock that caused the lock count to remain nonzero. ================================================================= ==22565==ERROR: LeakSanitizer: detected memory leaks Direct leak of 400 byte(s) in 2 object(s) allocated from: #0 0x7fa744ccea37 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 #1 0x7fa744867562 in qcalloc ../lib/memory.c:105 FRRouting#2 0x555cdbb37506 in ospf6_lsa_alloc ../ospf6d/ospf6_lsa.c:710 FRRouting#3 0x555cdbb375d6 in ospf6_lsa_create ../ospf6d/ospf6_lsa.c:725 FRRouting#4 0x555cdbaf1008 in ospf6_receive_lsa ../ospf6d/ospf6_flood.c:912 FRRouting#5 0x555cdbb48ceb in ospf6_lsupdate_recv ../ospf6d/ospf6_message.c:1621 FRRouting#6 0x555cdbb4ac90 in ospf6_read_helper ../ospf6d/ospf6_message.c:1896 FRRouting#7 0x555cdbb4aecc in ospf6_receive ../ospf6d/ospf6_message.c:1925 FRRouting#8 0x7fa744950c33 in event_call ../lib/event.c:1995 FRRouting#9 0x7fa74483b34a in frr_run ../lib/libfrr.c:1213 FRRouting#10 0x555cdbacf1eb in main ../ospf6d/ospf6_main.c:250 FRRouting#11 0x7fa7443f9d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Objects leaked above: 0x6110000606c0 (200 bytes) 0x611000060940 (200 bytes) Indirect leak of 80 byte(s) in 2 object(s) allocated from: #0 0x7fa744cce867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 #1 0x7fa744867525 in qmalloc ../lib/memory.c:100 FRRouting#2 0x555cdbb37520 in ospf6_lsa_alloc ../ospf6d/ospf6_lsa.c:711 FRRouting#3 0x555cdbb375d6 in ospf6_lsa_create ../ospf6d/ospf6_lsa.c:725 FRRouting#4 0x555cdbaf1008 in ospf6_receive_lsa ../ospf6d/ospf6_flood.c:912 FRRouting#5 0x555cdbb48ceb in ospf6_lsupdate_recv ../ospf6d/ospf6_message.c:1621 FRRouting#6 0x555cdbb4ac90 in ospf6_read_helper ../ospf6d/ospf6_message.c:1896 FRRouting#7 0x555cdbb4aecc in ospf6_receive ../ospf6d/ospf6_message.c:1925 FRRouting#8 0x7fa744950c33 in event_call ../lib/event.c:1995 FRRouting#9 0x7fa74483b34a in frr_run ../lib/libfrr.c:1213 FRRouting#10 0x555cdbacf1eb in main ../ospf6d/ospf6_main.c:250 FRRouting#11 0x7fa7443f9d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Objects leaked above: 0x6040000325d0 (40 bytes) 0x604000032650 (40 bytes) SUMMARY: AddressSanitizer: 480 byte(s) leaked in 4 allocation(s). ================================================================= ==5483==ERROR: LeakSanitizer: detected memory leaks Direct leak of 2000 byte(s) in 10 object(s) allocated from: #0 0x7f2c3faeea37 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 #1 0x7f2c3f68a6d9 in qcalloc ../lib/memory.c:105 FRRouting#2 0x56431b83633d in ospf6_lsa_alloc ../ospf6d/ospf6_lsa.c:710 FRRouting#3 0x56431b83640d in ospf6_lsa_create ../ospf6d/ospf6_lsa.c:725 FRRouting#4 0x56431b7efe13 in ospf6_receive_lsa ../ospf6d/ospf6_flood.c:912 FRRouting#5 0x56431b847b31 in ospf6_lsupdate_recv ../ospf6d/ospf6_message.c:1621 FRRouting#6 0x56431b849ad6 in ospf6_read_helper ../ospf6d/ospf6_message.c:1896 FRRouting#7 0x56431b849d12 in ospf6_receive ../ospf6d/ospf6_message.c:1925 FRRouting#8 0x7f2c3f773c62 in event_call ../lib/event.c:1995 FRRouting#9 0x7f2c3f65e2de in frr_run ../lib/libfrr.c:1213 FRRouting#10 0x56431b7cdff6 in main ../ospf6d/ospf6_main.c:221 FRRouting#11 0x7f2c3f21dd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Objects leaked above: 0x611000060800 (200 bytes) 0x611000060a80 (200 bytes) 0x611000060d00 (200 bytes) 0x611000060f80 (200 bytes) 0x611000061200 (200 bytes) 0x611000061480 (200 bytes) 0x611000061840 (200 bytes) 0x611000061ac0 (200 bytes) 0x61100006c740 (200 bytes) 0x61100006d500 (200 bytes) Indirect leak of 460 byte(s) in 10 object(s) allocated from: #0 0x7f2c3faee867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 #1 0x7f2c3f68a69c in qmalloc ../lib/memory.c:100 FRRouting#2 0x56431b836357 in ospf6_lsa_alloc ../ospf6d/ospf6_lsa.c:711 FRRouting#3 0x56431b83640d in ospf6_lsa_create ../ospf6d/ospf6_lsa.c:725 FRRouting#4 0x56431b7efe13 in ospf6_receive_lsa ../ospf6d/ospf6_flood.c:912 FRRouting#5 0x56431b847b31 in ospf6_lsupdate_recv ../ospf6d/ospf6_message.c:1621 FRRouting#6 0x56431b849ad6 in ospf6_read_helper ../ospf6d/ospf6_message.c:1896 FRRouting#7 0x56431b849d12 in ospf6_receive ../ospf6d/ospf6_message.c:1925 FRRouting#8 0x7f2c3f773c62 in event_call ../lib/event.c:1995 FRRouting#9 0x7f2c3f65e2de in frr_run ../lib/libfrr.c:1213 FRRouting#10 0x56431b7cdff6 in main ../ospf6d/ospf6_main.c:221 FRRouting#11 0x7f2c3f21dd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Objects leaked above: 0x604000033110 (40 bytes) 0x604000033190 (40 bytes) 0x604000033210 (44 bytes) 0x604000033290 (44 bytes) 0x604000033310 (44 bytes) 0x604000033390 (44 bytes) 0x604000033410 (44 bytes) 0x604000033490 (44 bytes) 0x604000034c90 (44 bytes) 0x6070000d3830 (72 bytes) SUMMARY: AddressSanitizer: 2460 byte(s) leaked in 20 allocation(s). Signed-off-by: ryndia <[email protected]>

The bgp vpn policy had some attribute not free when the function bgp_free was called leading to memory leak as shown below. ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251:Direct leak of 592 byte(s) in 2 object(s) allocated from: ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- #0 0x7f4b7ae92037 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- #1 0x7f4b7aa96e38 in qcalloc lib/memory.c:105 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#2 0x7f4b7aa9bec9 in srv6_locator_chunk_alloc lib/srv6.c:135 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#3 0x56396f8e56f8 in ensure_vrf_tovpn_sid_per_af bgpd/bgp_mplsvpn.c:752 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#4 0x56396f8e608a in ensure_vrf_tovpn_sid bgpd/bgp_mplsvpn.c:846 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#5 0x56396f8e075d in vpn_leak_postchange bgpd/bgp_mplsvpn.h:259 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#6 0x56396f8f3e5b in vpn_leak_postchange_all bgpd/bgp_mplsvpn.c:3397 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#7 0x56396fa920ef in bgp_zebra_process_srv6_locator_chunk bgpd/bgp_zebra.c:3238 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#8 0x7f4b7abb2913 in zclient_read lib/zclient.c:4134 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#9 0x7f4b7ab62010 in thread_call lib/thread.c:1991 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#10 0x7f4b7aa5a418 in frr_run lib/libfrr.c:1185 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#11 0x56396f7d756d in main bgpd/bgp_main.c:505 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#12 0x7f4b7a479d09 in __libc_start_main ../csu/libc-start.c:308 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251:Direct leak of 32 byte(s) in 2 object(s) allocated from: ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- #0 0x7f4b7ae92037 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- #1 0x7f4b7aa96e38 in qcalloc lib/memory.c:105 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#2 0x56396f8e31b8 in vpn_leak_zebra_vrf_sid_update_per_af bgpd/bgp_mplsvpn.c:386 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#3 0x56396f8e3ae8 in vpn_leak_zebra_vrf_sid_update bgpd/bgp_mplsvpn.c:448 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#4 0x56396f8e09b0 in vpn_leak_postchange bgpd/bgp_mplsvpn.h:271 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#5 0x56396f8f3e5b in vpn_leak_postchange_all bgpd/bgp_mplsvpn.c:3397 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#6 0x56396fa920ef in bgp_zebra_process_srv6_locator_chunk bgpd/bgp_zebra.c:3238 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#7 0x7f4b7abb2913 in zclient_read lib/zclient.c:4134 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#8 0x7f4b7ab62010 in thread_call lib/thread.c:1991 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#9 0x7f4b7aa5a418 in frr_run lib/libfrr.c:1185 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#10 0x56396f7d756d in main bgpd/bgp_main.c:505 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#11 0x7f4b7a479d09 in __libc_start_main ../csu/libc-start.c:308 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251:Direct leak of 32 byte(s) in 2 object(s) allocated from: ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- #0 0x7f4b7ae92037 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- #1 0x7f4b7aa96e38 in qcalloc lib/memory.c:105 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#2 0x56396f8e5730 in ensure_vrf_tovpn_sid_per_af bgpd/bgp_mplsvpn.c:753 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#3 0x56396f8e608a in ensure_vrf_tovpn_sid bgpd/bgp_mplsvpn.c:846 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#4 0x56396f8e075d in vpn_leak_postchange bgpd/bgp_mplsvpn.h:259 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#5 0x56396f8f3e5b in vpn_leak_postchange_all bgpd/bgp_mplsvpn.c:3397 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#6 0x56396fa920ef in bgp_zebra_process_srv6_locator_chunk bgpd/bgp_zebra.c:3238 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#7 0x7f4b7abb2913 in zclient_read lib/zclient.c:4134 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#8 0x7f4b7ab62010 in thread_call lib/thread.c:1991 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#9 0x7f4b7aa5a418 in frr_run lib/libfrr.c:1185 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#10 0x56396f7d756d in main bgpd/bgp_main.c:505 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#11 0x7f4b7a479d09 in __libc_start_main ../csu/libc-start.c:308 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251-SUMMARY: AddressSanitizer: 656 byte(s) leaked in 6 allocation(s). Signed-off-by: ryndia <[email protected]>

The `bgp_vrf->vrf_prd_pretty` string was not properly freed, leading to a memory leak. This commit resolves the memory leak by freeing the memory allocated for `bgp_vrf->vrf_prd_pretty` before returning from the function. The ASan leak log for reference: ``` *********************************************************************************** Address Sanitizer Error detected in evpn_type5_test_topo1.test_evpn_type5_topo1/e1.asan.bgpd.17689 ================================================================= ==17689==ERROR: LeakSanitizer: detected memory leaks Direct leak of 15 byte(s) in 1 object(s) allocated from: #0 0x7fdd94fc0538 in strdup (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x77538) #1 0x55e28d9c4c6c in qstrdup lib/memory.c:117 FRRouting#2 0x55e28d6c0d27 in evpn_configure_vrf_rd bgpd/bgp_evpn_vty.c:2297 FRRouting#3 0x55e28d6c0d27 in bgp_evpn_vrf_rd bgpd/bgp_evpn_vty.c:6271 FRRouting#4 0x55e28d94c155 in cmd_execute_command_real lib/command.c:994 FRRouting#5 0x55e28d94c622 in cmd_execute_command lib/command.c:1053 FRRouting#6 0x55e28d94ca99 in cmd_execute lib/command.c:1221 FRRouting#7 0x55e28da6d7d4 in vty_command lib/vty.c:591 FRRouting#8 0x55e28da6dc6e in vty_execute lib/vty.c:1354 FRRouting#9 0x55e28da7644d in vtysh_read lib/vty.c:2362 FRRouting#10 0x55e28da616e2 in event_call lib/event.c:1995 FRRouting#11 0x55e28d9a7a65 in frr_run lib/libfrr.c:1213 FRRouting#12 0x55e28d63ef00 in main bgpd/bgp_main.c:505 FRRouting#13 0x7fdd93883c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) SUMMARY: AddressSanitizer: 15 byte(s) leaked in 1 allocation(s). *********************************************************************************** ``` Signed-off-by: Keelan Cannoo <[email protected]>

When SRv6 locator is modified for configuration, a memory leak is observed. > ==26714==ERROR: LeakSanitizer: detected memory leaks > > Direct leak of 1104 byte(s) in 3 object(s) allocated from: > #0 0x7fb232cb83b7 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77 > #1 0x7fb232822b79 in qcalloc lib/memory.c:111 > FRRouting#2 0x7fb23283a8b6 in srv6_locator_alloc lib/srv6.c:227 > FRRouting#3 0x56347cdd4b57 in bgp_zebra_srv6_sid_notify bgpd/bgp_zebra.c:3661 > FRRouting#4 0x7fb23290d03e in zclient_read lib/zclient.c:4804 > FRRouting#5 0x7fb2328da6a0 in event_call lib/event.c:2005 > FRRouting#6 0x7fb232800791 in frr_run lib/libfrr.c:1252 > FRRouting#7 0x56347cb929ff in main bgpd/bgp_main.c:565 > FRRouting#8 0x7fb23222c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Signed-off-by: Philippe Guibert <[email protected]>

The `match->rule_str` may is NULL, like: ``` ip prefix-list plist1 deny any route-map rm1 deny 10 match evpn default-route ``` The stack: ``` #0 __strcmp_sse42 () at ../sysdeps/x86_64/multiarch/strcmp-sse4_2.S:173 #1 0x00007ffff7e5a7ea in route_map_pentry_process_dependency ( bucket=0x5555561fb270, data=0x7fffffff96e0) at ../lib/routemap.c:2466 FRRouting#2 0x00007ffff7de983d in hash_iterate (hash=0x555556208e50, func=0x7ffff7e5a6f3 <route_map_pentry_process_dependency>, arg=0x7fffffff96e0) at ../lib/hash.c:252 FRRouting#3 0x00007ffff7e5a99d in route_map_notify_pentry_dependencies ( affected_name=0x5555561fb720 "plist1", pentry=0x555556201040, event=RMAP_EVENT_PLIST_ADDED) at ../lib/routemap.c:2513 FRRouting#4 0x00007ffff7e4a275 in prefix_list_entry_update_finish (ple=0x555556201040) at ../lib/plist.c:697 FRRouting#5 0x00007ffff7de38c9 in lib_prefix_list_entry_apply_finish (args=0x7fffffff97b0) at ../lib/filter_nb.c:1233 FRRouting#6 0x00007ffff7e3228a in nb_callback_apply_finish (context=0x555556204970, nb_node=0x555555b51860, dnode=0x5555561e47b0, errmsg=0x7fffffff9d00 "", errmsg_len=8192) at ../lib/northbound.c:1772 ``` Signed-off-by: anlan_cs <[email protected]>

A crash is detected on an invalid memory access to the 0x0 address zone. > #0 __pthread_kill_implementation (no_tid=0, signo=11, threadid=130889386464320) > at ./nptl/pthread_kill.c:44 > #1 __pthread_kill_internal (signo=11, threadid=130889386464320) at ./nptl/pthread_kill.c:78 > FRRouting#2 __GI___pthread_kill (threadid=130889386464320, signo=signo@entry=11) at ./nptl/pthread_kill.c:89 > FRRouting#3 0x0000770b0f042476 in __GI_raise (sig=11) at ../sysdeps/posix/raise.c:26 > FRRouting#4 0x0000770b0f507846 in core_handler (signo=11, siginfo=0x7ffd4f7ec9f0, context=0x7ffd4f7ec8c0) > at /build/make-pkg/output/_packages/cp-routing/src/lib/sigevent.c:262 > FRRouting#5 <signal handler called> > FRRouting#6 __memmove_evex_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:339 > FRRouting#7 0x0000770b0f50bb54 in sockunion_set (su=0x7ffd4f7ed7b0, family=2, addr=0x0, bytes=4) > at /build/make-pkg/output/_packages/cp-routing/src/lib/sockunion.c:500 > FRRouting#8 0x00005f75d5430817 in nhrp_cie_pull (zb=0x5f75f262c4d0, hdr=0x5f75f2627dd8, nbma=0x7ffd4f7ed6d0, > proto=0x7ffd4f7ed7b0) at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_packet.c:180 > FRRouting#9 0x00005f75d5434652 in nhrp_peer_forward (p=0x5f75f2605f30, pp=0x7ffd4f7ed8c0) > at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_peer.c:1050 > FRRouting#10 0x00005f75d54356cb in nhrp_peer_recv (p=0x5f75f2605f30, zb=0x5f75f2627da0) > at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_peer.c:1341 > FRRouting#11 0x00005f75d5430d8e in nhrp_packet_recvraw (t=0x7ffd4f7ede80) > at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_packet.c:332 > FRRouting#12 0x0000770b0f521188 in thread_call (thread=0x7ffd4f7ede80) > at /build/make-pkg/output/_packages/cp-routing/src/lib/thread.c:1825 > FRRouting#13 0x0000770b0f4b7737 in frr_run (master=0x5f75f2440570) > at /build/make-pkg/output/_packages/cp-routing/src/lib/libfrr.c:1155 > FRRouting#14 0x00005f75d542d2b4 in main (argc=3, argv=0x7ffd4f7ee0b8) > at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_main.c:317 The incoming nhrp packet is too short, and the call to sockunion_set() uses a 0x0 memory zone, because the whole nhrp packet has been parsed, and the zbuf length used was 0. Fix this by detecting the zbuf remaining length before calling sockunion_set. Signed-off-by: Philippe Guibert <[email protected]> (cherry picked from commit 30e479e)

The `match->rule_str` may is NULL, like: ``` ip prefix-list plist1 deny any route-map rm1 deny 10 match evpn default-route ``` The stack: ``` #0 __strcmp_sse42 () at ../sysdeps/x86_64/multiarch/strcmp-sse4_2.S:173 #1 0x00007ffff7e5a7ea in route_map_pentry_process_dependency ( bucket=0x5555561fb270, data=0x7fffffff96e0) at ../lib/routemap.c:2466 FRRouting#2 0x00007ffff7de983d in hash_iterate (hash=0x555556208e50, func=0x7ffff7e5a6f3 <route_map_pentry_process_dependency>, arg=0x7fffffff96e0) at ../lib/hash.c:252 FRRouting#3 0x00007ffff7e5a99d in route_map_notify_pentry_dependencies ( affected_name=0x5555561fb720 "plist1", pentry=0x555556201040, event=RMAP_EVENT_PLIST_ADDED) at ../lib/routemap.c:2513 FRRouting#4 0x00007ffff7e4a275 in prefix_list_entry_update_finish (ple=0x555556201040) at ../lib/plist.c:697 FRRouting#5 0x00007ffff7de38c9 in lib_prefix_list_entry_apply_finish (args=0x7fffffff97b0) at ../lib/filter_nb.c:1233 FRRouting#6 0x00007ffff7e3228a in nb_callback_apply_finish (context=0x555556204970, nb_node=0x555555b51860, dnode=0x5555561e47b0, errmsg=0x7fffffff9d00 "", errmsg_len=8192) at ../lib/northbound.c:1772 ``` Signed-off-by: anlan_cs <[email protected]> (cherry picked from commit fa67f51)

Seen with isis_srv6_topo1 topotest. > ==178793==ERROR: LeakSanitizer: detected memory leaks > > Direct leak of 56 byte(s) in 1 object(s) allocated from: > #0 0x7f3f63cb4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 > #1 0x7f3f6366f8dd in qcalloc lib/memory.c:105 > FRRouting#2 0x561b810c62b7 in isis_srv6_sid_alloc isisd/isis_srv6.c:243 > FRRouting#3 0x561b8111f944 in isis_zebra_srv6_sid_notify isisd/isis_zebra.c:1534 > FRRouting#4 0x7f3f637df9d7 in zclient_read lib/zclient.c:4845 > FRRouting#5 0x7f3f637779b2 in event_call lib/event.c:2011 > FRRouting#6 0x7f3f63642ff1 in frr_run lib/libfrr.c:1216 > FRRouting#7 0x561b81018bf2 in main isisd/isis_main.c:360 > FRRouting#8 0x7f3f63029d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Fixes: 0af0f46 ("isisd: Receive SRv6 SIDs notifications from zebra") Signed-off-by: Louis Scalbert <[email protected]> (cherry picked from commit 25c813a)

A heap use after free when enabling bmp mirror on a non connected BMP target. > Apr 22 14:06:49 vRR-DUT systemd[1]: Started bfdd. > Apr 22 14:06:51 vRR-DUT bgpd[1522]: [VTCF0-ZHP6C] bmp: missing TX OPEN message for peer Static announcement > Apr 22 14:06:51 vRR-DUT bgpd[1522]: [K3RM9-4A4HY] bmp: missing RX OPEN message for peer Static announcement > Apr 22 14:06:52 vRR-DUT bgpd[1522]: ================================================================= > Apr 22 14:06:52 vRR-DUT bgpd[1522]: ==1522==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f0000321d0 at pc 0x7fe7f11c548e bp 0x7fff49f80d40 sp 0x7fff49f80d30 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: READ of size 8 at 0x60f0000321d0 thread T0 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #0 0x7fe7f11c548d in typesafe_list_add /build/make-pkg/output/_packages/cp-routing/src/lib/typesafe.h:161 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #1 0x7fe7f11c9347 in bmp_mirrorq_add_tail /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_bmp.c:116 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: FRRouting#2 0x7fe7f11d030f in bmp_mirror_packet /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_bmp.c:867 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: FRRouting#3 0x55c756de3e20 in hook_call_bgp_packet_dump /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_packet.c:55 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: FRRouting#4 0x55c756dfd5ea in bgp_process_packet /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_packet.c:3699 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: FRRouting#5 0x7fe7f5375237 in event_call (/lib/x86_64-linux-gnu/libfrr.so.0+0x375237) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: FRRouting#6 0x7fe7f5242ecf in frr_run (/lib/x86_64-linux-gnu/libfrr.so.0+0x242ecf) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: FRRouting#7 0x55c756c71804 in main /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_main.c:545 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: FRRouting#8 0x7fe7f4c29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: FRRouting#9 0x7fe7f4c29e3f in __libc_start_main_impl ../csu/libc-start.c:392 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: FRRouting#10 0x55c756c6e384 in _start (/usr/bin/bgpd+0x272384) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x60f0000321d0 is located 0 bytes inside of 162-byte region [0x60f0000321d0,0x60f000032272) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: freed by thread T0 here: > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #0 0x7fe7f58b4537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #1 0x7fe7f526f918 in qfree (/lib/x86_64-linux-gnu/libfrr.so.0+0x26f918) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: FRRouting#2 0x7fe7f11d057b in bmp_mirror_packet /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_bmp.c:875 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: FRRouting#3 0x55c756de3e20 in hook_call_bgp_packet_dump /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_packet.c:55 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: FRRouting#4 0x55c756dfd5ea in bgp_process_packet /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_packet.c:3699 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: FRRouting#5 0x7fe7f5375237 in event_call (/lib/x86_64-linux-gnu/libfrr.so.0+0x375237) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: FRRouting#6 0x7fe7f5242ecf in frr_run (/lib/x86_64-linux-gnu/libfrr.so.0+0x242ecf) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: FRRouting#7 0x55c756c71804 in main /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_main.c:545 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: FRRouting#8 0x7fe7f4c29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: previously allocated by thread T0 here: > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #0 0x7fe7f58b4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #1 0x7fe7f526f7c6 in qcalloc (/lib/x86_64-linux-gnu/libfrr.so.0+0x26f7c6) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: FRRouting#2 0x7fe7f11cfd38 in bmp_mirror_packet /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_bmp.c:835 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: FRRouting#3 0x55c756de3e20 in hook_call_bgp_packet_dump /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_packet.c:55 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: FRRouting#4 0x55c756dfd5ea in bgp_process_packet /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_packet.c:3699 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: FRRouting#5 0x7fe7f5375237 in event_call (/lib/x86_64-linux-gnu/libfrr.so.0+0x375237) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: FRRouting#6 0x7fe7f5242ecf in frr_run (/lib/x86_64-linux-gnu/libfrr.so.0+0x242ecf) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: FRRouting#7 0x55c756c71804 in main /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_main.c:545 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: FRRouting#8 0x7fe7f4c29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: SUMMARY: AddressSanitizer: heap-use-after-free /build/make-pkg/output/_packages/cp-routing/src/lib/typesafe.h:161 in typesafe_list_add > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Shadow bytes around the buggy address: > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe3e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe3f0: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa 00 00 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe410: 00 00 00 00 fa fa fa fa fa fa fa fa 00 00 00 00 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: =>0x0c1e7fffe430: 00 fa fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe440: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Shadow byte legend (one shadow byte represents 8 application bytes): > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Addressable: 00 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Partially addressable: 01 02 03 04 05 06 07 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Heap left redzone: fa > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Freed heap region: fd > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Stack left redzone: f1 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Stack mid redzone: f2 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Stack right redzone: f3 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Stack after return: f5 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Stack use after scope: f8 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Global redzone: f9 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Global init order: f6 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Poisoned by user: f7 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Container overflow: fc > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Array cookie: ac > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Intra object redzone: bb > Apr 22 14:06:52 vRR-DUT bgpd[1522]: ASan internal: fe > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Left alloca redzone: ca > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Right alloca redzone: cb > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Shadow gap: cc > Apr 22 14:06:52 vRR-DUT bgpd[1522]: ==1522==ABORTING > Apr 22 14:06:52 vRR-DUT yams[449]: CONFIG: [{'name': 'ttyS0'}] > Apr 22 14:06:52 vRR-DUT zebra[652]: [GE156-FS0MJ][EC 100663299] stream_read_try: read failed on fd 50: Connection reset by peer > Apr 22 14:06:52 vRR-DUT systemd[1]: bgpd.service: Main process exited, code=exited, status=1/FAILURE > Apr 22 14:06:52 vRR-DUT zebra[652]: [GE156-FS0MJ][EC 100663299] stream_read_try: read failed on fd 39: Connection reset by peer > Apr 22 14:06:52 vRR-DUT systemd[1]: bgpd.service: Failed with result 'exit-code'. > Apr 22 14:06:52 vRR-DUT zebra[652]: [N5M5Y-J5BPG][EC 4043309121] Client 'bgp' (session id 0) encountered an error and is shutting down. > Apr 22 14:06:52 vRR-DUT systemd[1]: bgpd.service: Consumed 2.361s CPU time. > Apr 22 14:06:52 vRR-DUT zebra[652]: [N5M5Y-J5BPG][EC 4043309121] Client 'bgp' (session id 1) encountered an error and is shutting down. > Apr 22 14:06:52 vRR-DUT zebra[652]: [JPSA8-5KYEA] client 39 disconnected 0 bgp routes removed from the rib > Apr 22 14:06:52 vRR-DUT zebra[652]: [S929C-NZR3N] client 39 disconnected 0 bgp nhgs removed from the rib > Apr 22 14:06:52 vRR-DUT zebra[652]: [KQB7H-NPVW9] /build/make-pkg/output/_packages/cp-routing/src/zebra/zebra_ptm.c:1285 failed to find process pid registration > Apr 22 14:06:52 vRR-DUT zebra[652]: [JPSA8-5KYEA] client 50 disconnected 0 bgp routes removed from the rib > Apr 22 14:06:52 vRR-DUT zebra[652]: [S929C-NZR3N] client 50 disconnected 0 bgp nhgs removed from the rib > Do not enqueue item in the mirror queue if no reference count has been found in the connection list. Fixes: b1ebe54 ("bgpd: bmp, handle imported bgp instances in bmp_mirror") Signed-off-by: Philippe Guibert <[email protected]> (cherry picked from commit 02da52d)

A crash is detected on an invalid memory access to the 0x0 address zone. > #0 __pthread_kill_implementation (no_tid=0, signo=11, threadid=130889386464320) > at ./nptl/pthread_kill.c:44 > #1 __pthread_kill_internal (signo=11, threadid=130889386464320) at ./nptl/pthread_kill.c:78 > FRRouting#2 __GI___pthread_kill (threadid=130889386464320, signo=signo@entry=11) at ./nptl/pthread_kill.c:89 > FRRouting#3 0x0000770b0f042476 in __GI_raise (sig=11) at ../sysdeps/posix/raise.c:26 > FRRouting#4 0x0000770b0f507846 in core_handler (signo=11, siginfo=0x7ffd4f7ec9f0, context=0x7ffd4f7ec8c0) > at /build/make-pkg/output/_packages/cp-routing/src/lib/sigevent.c:262 > FRRouting#5 <signal handler called> > FRRouting#6 __memmove_evex_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:339 > FRRouting#7 0x0000770b0f50bb54 in sockunion_set (su=0x7ffd4f7ed7b0, family=2, addr=0x0, bytes=4) > at /build/make-pkg/output/_packages/cp-routing/src/lib/sockunion.c:500 > FRRouting#8 0x00005f75d5430817 in nhrp_cie_pull (zb=0x5f75f262c4d0, hdr=0x5f75f2627dd8, nbma=0x7ffd4f7ed6d0, > proto=0x7ffd4f7ed7b0) at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_packet.c:180 > FRRouting#9 0x00005f75d5434652 in nhrp_peer_forward (p=0x5f75f2605f30, pp=0x7ffd4f7ed8c0) > at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_peer.c:1050 > FRRouting#10 0x00005f75d54356cb in nhrp_peer_recv (p=0x5f75f2605f30, zb=0x5f75f2627da0) > at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_peer.c:1341 > FRRouting#11 0x00005f75d5430d8e in nhrp_packet_recvraw (t=0x7ffd4f7ede80) > at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_packet.c:332 > FRRouting#12 0x0000770b0f521188 in thread_call (thread=0x7ffd4f7ede80) > at /build/make-pkg/output/_packages/cp-routing/src/lib/thread.c:1825 > FRRouting#13 0x0000770b0f4b7737 in frr_run (master=0x5f75f2440570) > at /build/make-pkg/output/_packages/cp-routing/src/lib/libfrr.c:1155 > FRRouting#14 0x00005f75d542d2b4 in main (argc=3, argv=0x7ffd4f7ee0b8) > at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_main.c:317 The incoming nhrp packet is too short, and the call to sockunion_set() uses a 0x0 memory zone, because the whole nhrp packet has been parsed, and the zbuf length used was 0. Fix this by detecting the zbuf remaining length before calling sockunion_set. Signed-off-by: Philippe Guibert <[email protected]> (cherry picked from commit 30e479e)

The `match->rule_str` may is NULL, like: ``` ip prefix-list plist1 deny any route-map rm1 deny 10 match evpn default-route ``` The stack: ``` #0 __strcmp_sse42 () at ../sysdeps/x86_64/multiarch/strcmp-sse4_2.S:173 #1 0x00007ffff7e5a7ea in route_map_pentry_process_dependency ( bucket=0x5555561fb270, data=0x7fffffff96e0) at ../lib/routemap.c:2466 FRRouting#2 0x00007ffff7de983d in hash_iterate (hash=0x555556208e50, func=0x7ffff7e5a6f3 <route_map_pentry_process_dependency>, arg=0x7fffffff96e0) at ../lib/hash.c:252 FRRouting#3 0x00007ffff7e5a99d in route_map_notify_pentry_dependencies ( affected_name=0x5555561fb720 "plist1", pentry=0x555556201040, event=RMAP_EVENT_PLIST_ADDED) at ../lib/routemap.c:2513 FRRouting#4 0x00007ffff7e4a275 in prefix_list_entry_update_finish (ple=0x555556201040) at ../lib/plist.c:697 FRRouting#5 0x00007ffff7de38c9 in lib_prefix_list_entry_apply_finish (args=0x7fffffff97b0) at ../lib/filter_nb.c:1233 FRRouting#6 0x00007ffff7e3228a in nb_callback_apply_finish (context=0x555556204970, nb_node=0x555555b51860, dnode=0x5555561e47b0, errmsg=0x7fffffff9d00 "", errmsg_len=8192) at ../lib/northbound.c:1772 ``` Signed-off-by: anlan_cs <[email protected]> (cherry picked from commit fa67f51)

Problem 1: 1. when s_client->gr_instance_count > 0 the code removed info from gr_info_queue and returned without freeing it. Fix: We now free info on that early return, so that leak is closed. Problem 2. During shutdown of zebra, stale clients are scheduled for deletion in META_QUEUE_GR. But before the META_QUEUE_GR is processed, zebra shuts down as a result there's a leak Fix: Implemented synchronous free on shutdown path. Leak in both cases: Indirect leak of 72 byte(s) in 1 object(s) allocated from: #0 0x7f48922b83b7 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77 #1 0x7f4891e23c0d in qcalloc lib/memory.c:111 FRRouting#2 0x55602360e3ac in zebra_gr_client_info_create zebra/zebra_gr.c:101 FRRouting#3 0x55602360e3ac in zread_client_capabilities zebra/zebra_gr.c:359 FRRouting#4 0x5560235f2ead in zserv_handle_commands zebra/zapi_msg.c:4226 FRRouting#5 0x556023719ef1 in zserv_process_messages zebra/zserv.c:561 FRRouting#6 0x7f4891edbc17 in event_call lib/event.c:2009 FRRouting#7 0x7f4891e017d9 in frr_run lib/libfrr.c:1252 FRRouting#8 0x5560235a63eb in main zebra/main.c:552 FRRouting#9 0x7f489190c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Signed-off-by: Pooja Jagadeesh Doijode <[email protected]>

bgp_flowspec.test_bgp_flowspec_topo started to fail (crash) after this. Let's revert it for now. It's freed a bit above already: hash_release(bpm->entry_hash, bpme); bgp_pbr_match_entry_free(bpme); ERROR: AddressSanitizer: attempting to call malloc_usable_size() for pointer which is not owned: 0x60e00009f8a0 #0 0x7f27d6cb7f04 in __interceptor_malloc_usable_size ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:119 #1 0x7f27d6c264f6 in __sanitizer::BufferedStackTrace::Unwind(unsigned long, unsigned long, void*, bool, unsigned int) ../../../../src/libsanitizer/sanitizer_common/sanitizer_stacktrace.h:131 FRRouting#2 0x7f27d6c264f6 in __asan::asan_malloc_usable_size(void const*, unsigned long, unsigned long) ../../../../src/libsanitizer/asan/asan_allocator.cpp:1058 FRRouting#3 0x7f27d68254df in mt_count_free lib/memory.c:83 FRRouting#4 0x7f27d68254df in qfree lib/memory.c:135 FRRouting#5 0x5637d57b04a2 in bgp_pbr_match_entry_free bgpd/bgp_pbr.c:977 FRRouting#6 0x5637d57b04a2 in bgp_pbr_flush_entry bgpd/bgp_pbr.c:1737 FRRouting#7 0x5637d57b40be in bgp_pbr_policyroute_remove_from_zebra_unit bgpd/bgp_pbr.c:1980 FRRouting#8 0x5637d57bb7c0 in bgp_pbr_policyroute_remove_from_zebra bgpd/bgp_pbr.c:2144 FRRouting#9 0x5637d57bb7c0 in bgp_pbr_handle_entry bgpd/bgp_pbr.c:2781 FRRouting#10 0x5637d57bb7c0 in bgp_pbr_update_entry bgpd/bgp_pbr.c:2905 FRRouting#11 0x5637d58d23e1 in bgp_zebra_withdraw_actual bgpd/bgp_zebra.c:1733 FRRouting#12 0x5637d57ccc9e in bgp_cleanup_table bgpd/bgp_route.c:7300 FRRouting#13 0x5637d57e27d2 in bgp_cleanup_routes bgpd/bgp_route.c:7318 FRRouting#14 0x5637d5911b91 in bgp_delete bgpd/bgpd.c:4370 FRRouting#15 0x5637d56961b4 in bgp_exit bgpd/bgp_main.c:212 FRRouting#16 0x5637d56961b4 in sigint bgpd/bgp_main.c:162 FRRouting#17 0x7f27d68af501 in frr_sigevent_process lib/sigevent.c:117 FRRouting#18 0x7f27d68db77a in event_fetch lib/event.c:1742 FRRouting#19 0x7f27d68027e4 in frr_run lib/libfrr.c:1251 FRRouting#20 0x5637d5697c55 in main bgpd/bgp_main.c:569 FRRouting#21 0x7f27d630c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 FRRouting#22 0x7f27d630c304 in __libc_start_main_impl ../csu/libc-start.c:360 FRRouting#23 0x5637d5695ac0 in _start (/usr/lib/frr/bgpd+0x2cfac0) 0x60e00009f8a0 is located 0 bytes inside of 160-byte region [0x60e00009f8a0,0x60e00009f940) freed by thread T0 here: #0 0x7f27d6cb76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52 #1 0x7f27d6825500 in qfree lib/memory.c:136 FRRouting#2 0x5637d57b0366 in bgp_pbr_match_entry_free bgpd/bgp_pbr.c:977 FRRouting#3 0x5637d57b0366 in bgp_pbr_flush_entry bgpd/bgp_pbr.c:1715 FRRouting#4 0x5637d57b40be in bgp_pbr_policyroute_remove_from_zebra_unit bgpd/bgp_pbr.c:1980 FRRouting#5 0x5637d57bb7c0 in bgp_pbr_policyroute_remove_from_zebra bgpd/bgp_pbr.c:2144 FRRouting#6 0x5637d57bb7c0 in bgp_pbr_handle_entry bgpd/bgp_pbr.c:2781 FRRouting#7 0x5637d57bb7c0 in bgp_pbr_update_entry bgpd/bgp_pbr.c:2905 FRRouting#8 0x5637d58d23e1 in bgp_zebra_withdraw_actual bgpd/bgp_zebra.c:1733 FRRouting#9 0x5637d57ccc9e in bgp_cleanup_table bgpd/bgp_route.c:7300 FRRouting#10 0x5637d57e27d2 in bgp_cleanup_routes bgpd/bgp_route.c:7318 FRRouting#11 0x5637d5911b91 in bgp_delete bgpd/bgpd.c:4370 FRRouting#12 0x5637d56961b4 in bgp_exit bgpd/bgp_main.c:212 FRRouting#13 0x5637d56961b4 in sigint bgpd/bgp_main.c:162 FRRouting#14 0x7f27d68af501 in frr_sigevent_process lib/sigevent.c:117 FRRouting#15 0x7f27d68db77a in event_fetch lib/event.c:1742 FRRouting#16 0x7f27d68027e4 in frr_run lib/libfrr.c:1251 FRRouting#17 0x5637d5697c55 in main bgpd/bgp_main.c:569 FRRouting#18 0x7f27d630c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 This reverts commit d0df550. Signed-off-by: Donatas Abraitis <[email protected]>

This commit addresses a leak where temporary memory allocated earlier by the `prefix_copy` function for AF_FLOWSPEC prefixes was not being freed. To ensure proper memory management, we now release this temporary memory by calling `prefix_flowspec_ptr_free`. The ASan leak log for reference: ``` *********************************************************************************** Address Sanitizer Error detected in bgp_flowspec.test_bgp_flowspec_topo/r1.asan.bgpd.11539 ================================================================= ==11539==ERROR: LeakSanitizer: detected memory leaks Direct leak of 56 byte(s) in 2 object(s) allocated from: #0 0x7feaa956ad28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x7feaa8f670da in qcalloc lib/memory.c:105 FRRouting#2 0x7feaa8fac1d4 in prefix_copy lib/prefix.c:346 FRRouting#3 0x7feaa8ff43e8 in route_node_get lib/table.c:274 FRRouting#4 0x56247cc798c0 in bgp_node_get bgpd/bgp_table.h:236 FRRouting#5 0x56247cc798c0 in bgp_afi_node_get bgpd/bgp_route.c:145 FRRouting#6 0x56247cc92622 in bgp_update bgpd/bgp_route.c:4188 FRRouting#7 0x56247ce55b21 in bgp_nlri_parse_flowspec bgpd/bgp_flowspec.c:193 FRRouting#8 0x56247cc4cdd8 in bgp_nlri_parse bgpd/bgp_packet.c:350 FRRouting#9 0x56247cc4f37c in bgp_update_receive bgpd/bgp_packet.c:2153 FRRouting#10 0x56247cc591e2 in bgp_process_packet bgpd/bgp_packet.c:3214 FRRouting#11 0x7feaa9005b99 in event_call lib/event.c:1979 FRRouting#12 0x7feaa8f4a379 in frr_run lib/libfrr.c:1213 FRRouting#13 0x56247cb51b21 in main bgpd/bgp_main.c:510 FRRouting#14 0x7feaa7f8dc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) SUMMARY: AddressSanitizer: 56 byte(s) leaked in 2 allocation(s). *********************************************************************************** ``` Signed-off-by: Keelan Cannoo <[email protected]> (cherry picked from commit a7fe30e) Conflicts: bgpd/bgp_table.c lib/prefix.c lib/prefix.h lib/table.c Signed-off-by: Louis Scalbert <[email protected]> Signed-off-by: Philippe Guibert <[email protected]>

Upon examining this Indirect leak: Indirect leak of 160 byte(s) in 4 object(s) allocated from: #0 0x7fe4f40b83b7 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77 #1 0x7fe4f3c24c1d in qcalloc lib/memory.c:111 FRRouting#2 0x7fe4f3c03441 in list_new lib/linklist.c:49 FRRouting#3 0x564c81d076f9 in ospf_spf_vertex_copy ospfd/ospf_spf.c:335 FRRouting#4 0x564c81d0bff2 in ospf_spf_copy ospfd/ospf_spf.c:378 FRRouting#5 0x564c81d158e8 in ospf_ti_lfa_generate_p_space ospfd/ospf_ti_lfa.c:787 FRRouting#6 0x564c81d162f5 in ospf_ti_lfa_generate_p_spaces ospfd/ospf_ti_lfa.c:923 FRRouting#7 0x564c81d16532 in ospf_ti_lfa_compute ospfd/ospf_ti_lfa.c:1101 FRRouting#8 0x564c81d0e942 in ospf_spf_calculate_area ospfd/ospf_spf.c:1811 FRRouting#9 0x564c81d0eaa6 in ospf_spf_calculate_areas ospfd/ospf_spf.c:1840 FRRouting#10 0x564c81d0eda2 in ospf_spf_calculate_schedule_worker ospfd/ospf_spf.c:1871 FRRouting#11 0x7fe4f3cdd7c3 in event_call lib/event.c:2009 FRRouting#12 0x7fe4f3c027e9 in frr_run lib/libfrr.c:1252 FRRouting#13 0x564c81c95191 in main ospfd/ospf_main.c:307 FRRouting#14 0x7fe4f370c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 It was noticed that the vertex has another list that is not being cleanedup. Let's allow this to happen. Signed-off-by: Donald Sharp <[email protected]>

…ists Traditionally BGP does wCMP only when the Link-Bandwidth extended community exists, but since we have Next-Next Hop Nodes characteristic, it's useful to allow doing wCMP by using NHC attribute as well. It was discussed a bit about this feature at BalticNOG 2025, and people are interested having this. E.g.: r1# show ip bgp 10.0.0.1/32 BGP routing table entry for 10.0.0.1/32, version 7 Paths: (2 available, best #1, table default) Advertised to peers: 10.255.0.2 10.255.16.6 65002 65003 10.255.0.2 from 10.255.0.2 (10.255.0.2) Origin IGP, valid, external, multipath, best (Older Path) Last update: Sat Sep 27 18:26:39 2025 Characteristics: Next-next Hop Nodes: 10.255.0.3 10.255.0.4 10.255.0.5 BGPID: 10.255.0.3 65006 65007 10.255.16.6 from 10.255.16.6 (10.255.0.6) Origin IGP, valid, external, multipath Last update: Sat Sep 27 18:26:45 2025 Characteristics: Next-next Hop Nodes: 10.255.0.7 10.255.0.8 r1# Here we can see that 10.255.0.2 has 3 nodes behind for 10.0.0.1/32, while 10.255.16.6 has 2, so the weight is adjusted accordingly to distribute the traffic proportionally. r1# show ip route 10.0.0.1/32 Routing entry for 10.0.0.1/32 Known via "bgp", distance 20, metric 0, best Last update 00:01:10 ago * 10.255.16.6, via r1-eth1, weight 169 * 10.255.0.2, via r1-eth0, weight 254 munet> r1 shi ip route show 10.0.0.1 10.0.0.1 nhid 22 proto bgp metric 20 nexthop via 10.255.0.2 dev r1-eth0 weight 254 nexthop via 10.255.16.6 dev r1-eth1 weight 169 Signed-off-by: Donatas Abraitis <[email protected]>

We can do this now in gdb: (rr) walk_bgp_table table Walking BGP table at 0x55bd95ec5b70 AFI: 3, SAFI: 5 Version: 0 (Two-level table: RD -> Routes) === RD: 10.0.0.21:2 === === Dest #1: 0x55bd961a0130 === Prefix: [5]:[0]:[32]:10.1.1.1 dest->flags: 0x1 PROCESS_SCHEDULED --- Path #1 --- bgp_path_info: 0x55bd961a04b0 peer: 0x55bd95ebdfd0 (Static announcement) type: 10, sub_type: 1 (STATIC) flags: 0x80010 VALID UNSORTED uptime: 764569, lock: 1 attr: 0x55bd961a0380 (nexthop: 120.0.0.3) extra: 0x55bd960ac720 [has labels] [has evpn] next: 0x0, prev: 0x0 === RD: 10.0.0.33:1 === === Dest FRRouting#2: 0x55bd95eb41e0 === Prefix: [5]:[0]:[32]:10.1.1.1 dest->flags: 0x0 --- Path #1 --- bgp_path_info: 0x55bd95ea2a20 peer: 0x55bd95ed56a0 (10.0.0.18) type: 10, sub_type: 0 (NORMAL) flags: 0x418 SELECTED VALID COUNTED uptime: 764568, lock: 2 attr: 0x55bd956aa3b0 (nexthop: 120.0.0.1) extra: 0x55bd960a5d60 [has labels] [has evpn] next: 0x0, prev: 0x0 === Dest FRRouting#3: 0x55bd960aa4b0 === Prefix: [5]:[0]:[128]:10:0:0:0:0:0:0:1 dest->flags: 0x0 --- Path #1 --- bgp_path_info: 0x55bd960ad190 peer: 0x55bd95ed56a0 (10.0.0.18) type: 10, sub_type: 0 (NORMAL) flags: 0x418 SELECTED VALID COUNTED uptime: 764569, lock: 2 attr: 0x55bd960ad2e0 (nexthop: 120.0.0.1) extra: 0x55bd960aa540 [has labels] [has evpn] next: 0x0, prev: 0x0 === RD: 10.0.0.37:2 === === Dest FRRouting#4: 0x55bd960ad930 === Prefix: [5]:[0]:[32]:20.1.1.1 dest->flags: 0x0 --- Path #1 --- bgp_path_info: 0x55bd960a97b0 peer: 0x55bd95ed56a0 (10.0.0.18) type: 10, sub_type: 0 (NORMAL) flags: 0x418 SELECTED VALID COUNTED uptime: 764568, lock: 2 attr: 0x55bd960a93b0 (nexthop: 120.0.0.1) extra: 0x55bd960a6b30 [has labels] [has evpn] next: 0x0, prev: 0x0 --Type <RET> for more, q to quit, c to continue without paging-- === RD: 10.0.0.41:3 === === Dest FRRouting#5: 0x55bd960a9c30 === Prefix: [5]:[0]:[32]:30.1.1.1 dest->flags: 0x0 --- Path #1 --- bgp_path_info: 0x55bd960a9e10 peer: 0x55bd95ed56a0 (10.0.0.18) type: 10, sub_type: 0 (NORMAL) flags: 0x418 SELECTED VALID COUNTED uptime: 764568, lock: 2 attr: 0x55bd960a9cc0 (nexthop: 120.0.0.1) extra: 0x55bd960a9eb0 [has labels] [has evpn] next: 0x0, prev: 0x0 === Summary === Total destinations with paths: 5 Total paths: 5 Or: (rr) walk_bgp_table table Walking BGP table at 0x55bd95ee53b0 AFI: 2, SAFI: 1 Version: 1 === Dest #1: 0x55bd960ad4a0 === Prefix: IPv6:10:0:0:0:0:0:0:1/128 dest->flags: 0x1 PROCESS_SCHEDULED --- Path #1 --- bgp_path_info: 0x55bd960a5eb0 peer: 0x55bd95ef92c0 (fd00:0:0:5::2) type: 10, sub_type: 0 (NORMAL) flags: 0x80400 COUNTED UNSORTED uptime: 764569, lock: 1 attr: 0x55bd9619fb20 (nexthop: 0.0.0.0) extra: 0x55bd95ef31d0 next: 0x55bd960abe30, prev: 0x0 --- Path FRRouting#2 --- bgp_path_info: 0x55bd960abe30 peer: 0x55bd95ed56a0 (10.0.0.18) type: 10, sub_type: 5 (IMPORTED) flags: 0x4018 SELECTED VALID ANNC_NH_SELF uptime: 764569, lock: 1 attr: 0x55bd960ad530 (nexthop: 120.0.0.1) extra: 0x55bd960abed0 [has labels] [has vrfleak] next: 0x0, prev: 0x55bd960a5eb0 === Summary === Total destinations with paths: 1 Total paths: 2 People might find this useful. Signed-off-by: Donald Sharp <[email protected]>

On one interface without any mld/pim/igmp configuration, set the command: `ip igmp require-router-alert` or `ipv6 mld require-router-alert`. It will crash for empty `pim_ifp`. ``` #0 0x000055cd72861d40 in lib_interface_gmp_require_router_alert_modify (args=0x7ffec1894e70) at ../pimd/pim_nb_config.c:4768 #1 0x00007f5cdcda137b in nb_callback_modify (context=0x55cd74647a10, nb_node=0x55cd7441c970, event=NB_EV_APPLY, dnode=0x55cd74646350, resource=0x55cd746470c8, errmsg=0x7ffec1895460 "", errmsg_len=8192) at ../lib/northbound.c:1598 FRRouting#2 0x00007f5cdcda20b7 in nb_callback_configuration (context=0x55cd74647a10, event=NB_EV_APPLY, change=0x55cd74647090, errmsg=0x7ffec1895460 "", errmsg_len=8192) at ../lib/northbound.c:1962 FRRouting#3 0x00007f5cdcda261f in nb_transaction_process (event=NB_EV_APPLY, transaction=0x55cd74647a10, errmsg=0x7ffec1895460 "", errmsg_len=8192) at ../lib/northbound.c:2091 FRRouting#4 0x00007f5cdcda0cee in nb_candidate_commit_apply (transaction=0x55cd74647a10, save_transaction=true, transaction_id=0x0, errmsg=0x7ffec1895460 "", errmsg_len=8192) at ../lib/northbound.c:1409 FRRouting#5 0x00007f5cdcda0e76 in nb_candidate_commit (context=..., candidate=0x55cd7439d960, save_transaction=true, comment=0x0, transaction_id=0x0, errmsg=0x7ffec1895460 "", errmsg_len=8192) at ../lib/northbound.c:1449 FRRouting#6 0x00007f5cdcda78aa in nb_cli_classic_commit (vty=0x55cd74639b60) at ../lib/northbound_cli.c:57 FRRouting#7 0x00007f5cdcda7ea5 in nb_cli_apply_changes_internal (vty=0x55cd74639b60, xpath_base=0x7ffec18994f0 "/frr-interface:lib/interface[name='xx']/frr-gmp:gmp/address-family[address-family='frr-routing:ipv4']", clear_pending=false) at ../lib/northbound_cli.c:195 FRRouting#8 0x00007f5cdcda8196 in _nb_cli_apply_changes (vty=0x55cd74639b60, xpath_base=0x7ffec1899940 "./frr-gmp:gmp/address-family[address-family='frr-routing:ipv4']", clear_pending=false) at ../lib/northbound_cli.c:251 ``` Signed-off-by: anlan_cs <[email protected]>

route-map match condition on evpn default-route does not have proper check that its truly type-5 before checking prefixlen being 0. In absence of the fix, the set condition applied to all evpn routes as evpn prefix is type union so just checking for prefixlen 0 is not sufficient. Ticket:#3227895 Issue:3227895 Testing Done: Apply ingress route-map policy: route-map POLICY_OUT_SS permit 10 match evpn default-route set metric 6666 Default route contains metric only to default route: BGP routing table entry for 144.1.1.6:4:[5]:[0]:[0.0.0.0/0]/352 Paths: (2 available, best #1) Advertised to non peer-group peers: leaf-21(swp1) leaf-22(swp2) Route [5]:[0]:[0]:[0.0.0.0] VNI 104002 651004 652000 651001 660000 6.0.0.1 from leaf-21(swp1) (6.0.0.26) Origin IGP, metric 6666, valid, external, bestpath-from-AS 651004, best (Router ID) Extended Community: RT:4640:104002 ET:8 Rmac:00:02:00:00:00:04 Last update: Fri Oct 7 20:25:39 2022 Route [5]:[0]:[0]:[0.0.0.0] VNI 104002 651004 652000 651001 660000 6.0.0.1 from leaf-22(swp2) (6.0.0.27) Origin IGP, metric 6666, valid, external Extended Community: RT:4640:104002 ET:8 Rmac:00:02:00:00:00:04 Last update: Fri Oct 7 20:25:39 2022 Signed-off-by: Chirag Shah <[email protected]>

Seen with isis_srv6_topo1 topotest. > ==178793==ERROR: LeakSanitizer: detected memory leaks > > Direct leak of 56 byte(s) in 1 object(s) allocated from: > #0 0x7f3f63cb4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 > #1 0x7f3f6366f8dd in qcalloc lib/memory.c:105 > FRRouting#2 0x561b810c62b7 in isis_srv6_sid_alloc isisd/isis_srv6.c:243 > FRRouting#3 0x561b8111f944 in isis_zebra_srv6_sid_notify isisd/isis_zebra.c:1534 > FRRouting#4 0x7f3f637df9d7 in zclient_read lib/zclient.c:4845 > FRRouting#5 0x7f3f637779b2 in event_call lib/event.c:2011 > FRRouting#6 0x7f3f63642ff1 in frr_run lib/libfrr.c:1216 > FRRouting#7 0x561b81018bf2 in main isisd/isis_main.c:360 > FRRouting#8 0x7f3f63029d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Fixes: 0af0f46 ("isisd: Receive SRv6 SIDs notifications from zebra") Signed-off-by: Louis Scalbert <[email protected]> (cherry picked from commit 25c813a)

A crash is detected on an invalid memory access to the 0x0 address zone. > #0 __pthread_kill_implementation (no_tid=0, signo=11, threadid=130889386464320) > at ./nptl/pthread_kill.c:44 > #1 __pthread_kill_internal (signo=11, threadid=130889386464320) at ./nptl/pthread_kill.c:78 > FRRouting#2 __GI___pthread_kill (threadid=130889386464320, signo=signo@entry=11) at ./nptl/pthread_kill.c:89 > FRRouting#3 0x0000770b0f042476 in __GI_raise (sig=11) at ../sysdeps/posix/raise.c:26 > FRRouting#4 0x0000770b0f507846 in core_handler (signo=11, siginfo=0x7ffd4f7ec9f0, context=0x7ffd4f7ec8c0) > at /build/make-pkg/output/_packages/cp-routing/src/lib/sigevent.c:262 > FRRouting#5 <signal handler called> > FRRouting#6 __memmove_evex_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:339 > FRRouting#7 0x0000770b0f50bb54 in sockunion_set (su=0x7ffd4f7ed7b0, family=2, addr=0x0, bytes=4) > at /build/make-pkg/output/_packages/cp-routing/src/lib/sockunion.c:500 > FRRouting#8 0x00005f75d5430817 in nhrp_cie_pull (zb=0x5f75f262c4d0, hdr=0x5f75f2627dd8, nbma=0x7ffd4f7ed6d0, > proto=0x7ffd4f7ed7b0) at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_packet.c:180 > FRRouting#9 0x00005f75d5434652 in nhrp_peer_forward (p=0x5f75f2605f30, pp=0x7ffd4f7ed8c0) > at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_peer.c:1050 > FRRouting#10 0x00005f75d54356cb in nhrp_peer_recv (p=0x5f75f2605f30, zb=0x5f75f2627da0) > at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_peer.c:1341 > FRRouting#11 0x00005f75d5430d8e in nhrp_packet_recvraw (t=0x7ffd4f7ede80) > at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_packet.c:332 > FRRouting#12 0x0000770b0f521188 in thread_call (thread=0x7ffd4f7ede80) > at /build/make-pkg/output/_packages/cp-routing/src/lib/thread.c:1825 > FRRouting#13 0x0000770b0f4b7737 in frr_run (master=0x5f75f2440570) > at /build/make-pkg/output/_packages/cp-routing/src/lib/libfrr.c:1155 > FRRouting#14 0x00005f75d542d2b4 in main (argc=3, argv=0x7ffd4f7ee0b8) > at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_main.c:317 The incoming nhrp packet is too short, and the call to sockunion_set() uses a 0x0 memory zone, because the whole nhrp packet has been parsed, and the zbuf length used was 0. Fix this by detecting the zbuf remaining length before calling sockunion_set. Signed-off-by: Philippe Guibert <[email protected]> (cherry picked from commit 30e479e)

The `match->rule_str` may is NULL, like: ``` ip prefix-list plist1 deny any route-map rm1 deny 10 match evpn default-route ``` The stack: ``` #0 __strcmp_sse42 () at ../sysdeps/x86_64/multiarch/strcmp-sse4_2.S:173 #1 0x00007ffff7e5a7ea in route_map_pentry_process_dependency ( bucket=0x5555561fb270, data=0x7fffffff96e0) at ../lib/routemap.c:2466 FRRouting#2 0x00007ffff7de983d in hash_iterate (hash=0x555556208e50, func=0x7ffff7e5a6f3 <route_map_pentry_process_dependency>, arg=0x7fffffff96e0) at ../lib/hash.c:252 FRRouting#3 0x00007ffff7e5a99d in route_map_notify_pentry_dependencies ( affected_name=0x5555561fb720 "plist1", pentry=0x555556201040, event=RMAP_EVENT_PLIST_ADDED) at ../lib/routemap.c:2513 FRRouting#4 0x00007ffff7e4a275 in prefix_list_entry_update_finish (ple=0x555556201040) at ../lib/plist.c:697 FRRouting#5 0x00007ffff7de38c9 in lib_prefix_list_entry_apply_finish (args=0x7fffffff97b0) at ../lib/filter_nb.c:1233 FRRouting#6 0x00007ffff7e3228a in nb_callback_apply_finish (context=0x555556204970, nb_node=0x555555b51860, dnode=0x5555561e47b0, errmsg=0x7fffffff9d00 "", errmsg_len=8192) at ../lib/northbound.c:1772 ``` Signed-off-by: anlan_cs <[email protected]> (cherry picked from commit fa67f51)

route-map match condition on evpn default-route does not have proper check that its truly type-5 before checking prefixlen being 0. In absence of the fix, the set condition applied to all evpn routes as evpn prefix is type union so just checking for prefixlen 0 is not sufficient. Ticket:#3227895 Issue:3227895 Testing Done: Apply ingress route-map policy: route-map POLICY_OUT_SS permit 10 match evpn default-route set metric 6666 Default route contains metric only to default route: BGP routing table entry for 144.1.1.6:4:[5]:[0]:[0.0.0.0/0]/352 Paths: (2 available, best #1) Advertised to non peer-group peers: leaf-21(swp1) leaf-22(swp2) Route [5]:[0]:[0]:[0.0.0.0] VNI 104002 651004 652000 651001 660000 6.0.0.1 from leaf-21(swp1) (6.0.0.26) Origin IGP, metric 6666, valid, external, bestpath-from-AS 651004, best (Router ID) Extended Community: RT:4640:104002 ET:8 Rmac:00:02:00:00:00:04 Last update: Fri Oct 7 20:25:39 2022 Route [5]:[0]:[0]:[0.0.0.0] VNI 104002 651004 652000 651001 660000 6.0.0.1 from leaf-22(swp2) (6.0.0.27) Origin IGP, metric 6666, valid, external Extended Community: RT:4640:104002 ET:8 Rmac:00:02:00:00:00:04 Last update: Fri Oct 7 20:25:39 2022 Signed-off-by: Chirag Shah <[email protected]> (cherry picked from commit ee2b227)

Before: tor-21# show bgp l2vpn evpn route rd 144.1.1.2:6 EVPN type-1 prefix: [1]:[EthTag]:[ESI]:[IPlen]:[VTEP-IP]:[Frag-id] EVPN type-2 prefix: [2]:[EthTag]:[MAClen]:[MAC] EVPN type-3 prefix: [3]:[EthTag]:[IPlen]:[OrigIP] EVPN type-4 prefix: [4]:[ESI]:[IPlen]:[OrigIP] EVPN type-5 prefix: [5]:[EthTag]:[IPlen]:[IP] BGP routing table entry for 144.1.1.2:6:[5]:[0]:[24]:[50.1.110.0] Paths: (2 available, best #1) Advertised to peers: leaf-21(swp1) leaf-22(swp2) Route [5]:[0]:[24]:[50.1.110.0] VNI 104001 651004 652000 651001 660000 0.0.0.0(leaf-21) from leaf-21(swp1) (6.0.0.26) Origin incomplete, valid, external, multipath, bestpath-from-AS 651004, best (Router ID) Extended Community: RT:4640:104001 ET:8 Rmac:00:00:10:00:01:08 Last update: Mon Sep 29 04:06:01 2025 Route [5]:[0]:[24]:[50.1.110.0] VNI 104001 651004 652000 651001 660000 0.0.0.0(leaf-22) from leaf-22(swp2) (6.0.0.27) Origin incomplete, valid, external, multipath Extended Community: RT:4640:104001 ET:8 Rmac:00:00:10:00:01:08 Last update: Mon Sep 29 04:06:01 2025 After: tor-21# show bgp l2vpn evpn route rd 144.1.1.2:6 EVPN type-1 prefix: [1]:[EthTag]:[ESI]:[IPlen]:[VTEP-IP]:[Frag-id] EVPN type-2 prefix: [2]:[EthTag]:[MAClen]:[MAC] EVPN type-3 prefix: [3]:[EthTag]:[IPlen]:[OrigIP] EVPN type-4 prefix: [4]:[ESI]:[IPlen]:[OrigIP] EVPN type-5 prefix: [5]:[EthTag]:[IPlen]:[IP] BGP routing table entry for 144.1.1.2:6:[5]:[0]:[24]:[50.1.110.0] Paths: (2 available, best #1) Advertised to peers: leaf-21(swp1) leaf-22(swp2) Route [5]:[0]:[24]:[50.1.110.0] VNI 104001 651004 652000 651001 660000 2006:27:27::1(leaf-21) from leaf-21(swp1) (6.0.0.26) Origin incomplete, valid, external, multipath, bestpath-from-AS 651004, best (Router ID) Extended Community: RT:4640:104001 ET:8 Rmac:00:00:10:00:01:08 Last update: Mon Sep 29 00:36:28 2025 Route [5]:[0]:[24]:[50.1.110.0] VNI 104001 651004 652000 651001 660000 2006:27:27::1(leaf-22) from leaf-22(swp2) (6.0.0.27) Origin incomplete, valid, external, multipath Extended Community: RT:4640:104001 ET:8 Rmac:00:00:10:00:01:08 Last update: Mon Sep 29 00:36:28 2025 Signed-off-by: Chirag Shah <[email protected]>

When we have something like: ``` *> 10.0.8.0/25 10.113.78.2 0 100 0 (65506 65507) 800 ? * i 10.113.78.2 0 100 0 (65506 65507) 800 ? * 10.113.19.2 0 900 800 ? *> 10.0.8.128/25 10.113.78.2 0 100 0 (65506 65507) 800 ? * i 10.113.78.2 0 100 0 (65506 65507) 800 ? * 10.113.19.2 0 900 800 ? ``` And then create an aggregate with as-set, we had: ``` *> 10.0.8.0/24 0.0.0.0 0 32768 {800,900,65506,65507} ? ``` Which is bad (confederation AS is included into AS-SET). With the fix: r1 aggregates 10.0.8.0/24 ========================= ``` munet> r1 shi vtysh -c 'show bgp ipv4 10.0.8.0/24' BGP routing table entry for 10.0.8.0/24, version 25 Paths: (1 available, best #1, table default) Advertised to peers: 10.113.13.2 10.113.16.2 10.113.19.2 [65506,65507] {800,900}, (aggregated by 100 10.113.0.1) 0.0.0.0 from 0.0.0.0 (10.113.0.1) Origin incomplete, metric 0, weight 32768, valid, aggregated, local, best (First path received) Last update: Wed Nov 19 10:18:41 2025 ``` r3 is a confederation member ============================ ``` munet> r3 shi vtysh -c 'show bgp ipv4 10.0.8.0/24' BGP routing table entry for 10.0.8.0/24, version 22 Paths: (1 available, best #1, table default) Advertised to peers: 10.113.36.2 10.113.113.2 [65506,65507] {800,900}, (aggregated by 100 10.113.0.1) 10.113.13.1 from 10.113.13.1 (10.113.0.1) Origin incomplete, metric 0, localpref 100, valid, confed-internal, best (First path received) Last update: Wed Nov 19 10:18:42 2025 ``` r13 is outside the confederation and it should receive the path without confederations ====================================================================================== ``` munet> r13 shi vtysh -c 'show bgp ipv4 10.0.8.0/24' BGP routing table entry for 10.0.8.0/24, version 21 Paths: (1 available, best #1, table default) Advertised to peers: 10.113.113.1 100 {800,900}, (aggregated by 100 10.113.0.1) 10.113.113.1 from 10.113.113.1 (10.113.0.3) Origin incomplete, valid, external, best (First path received) Last update: Wed Nov 19 10:18:42 2025 ``` Signed-off-by: Donatas Abraitis <[email protected]>

The transposed SID value is not visible from the VPN paths. > r1# show bgp ipv4 vpn 10.0.0.0/24 > BGP routing table entry for 65001:20:10.0.0.0/24, version 3 > not allocated > Paths: (1 available, best #1) > Advertised to peers: > 2001:db8:12::2 > Local > 0.0.0.0 from 0.0.0.0 (192.0.2.1) vrf Vrf20(7) announce-nh-self > Origin incomplete, metric 0, weight 32768, valid, sourced, local, best (First path received) > Extended Community: RT:0:20 > Originator: 192.0.2.1 > Remote label: 16 > Remote SID: 2004:db8:1:1::, sid structure=[40 24 16 0 16 64] > Last update: Wed Nov 26 10:36:13 2025 Add a json field named remoteTransposedSid in json part. > r1# show bgp ipv4 vpn 10.0.0.0/24 json > "originatorId":"192.0.2.1", > "remoteLabel":16, > "remoteTransposedSid":"2004:db8:1:1:1::", > "remoteSid":"2004:db8:1:1::", > "remoteSidStructure":{ > "locatorBlockLen":40, > "locatorNodeLen":24, > "functionLen":16, > "argumentLen":0, > "transpositionLen":16, > "transpositionOffset":64 > }, Signed-off-by: Philippe Guibert <[email protected]>

When neighbor graceful-shutdown is configured, GSHUT community and LOCAL_PREF=0 should apply to all routes advertised to that neighbor, including locally originated routes (network command, redistribute). Previously, GSHUT only applied to received routes from that neighbor. This fix ensures originated routes also get GSHUT treatment. When bgp neighbor GSHUT is done, advertise routes recivied from this neighbor with GSHUT attribute. Testing: mlx-4600ca1-01(config-router)# neighbor 210.2.0.2 graceful-shutdown logs: 2024/06/18 00:11:34 BGP: [MS8ZT-QEXJ8] u2:s4 210.2.0.2 announcing routes 2024/06/18 00:11:35 BGP: [TN0HX-6G1RR] u1:s3 send UPDATE w/ attr: nexthop 0.0.0.0, origin ?, localpref 0, community graceful-shutdown, path 201 200 2024/06/18 00:11:35 BGP: [HVRWP-5R9NQ] u1:s3 send UPDATE 20.10.10.2/32 IPv4 unicast 2024/06/18 00:11:35 BGP: [HVRWP-5R9NQ] u1:s3 send UPDATE 210.2.0.0/24 IPv4 unicast 2024/06/18 00:11:35 BGP: [HVRWP-5R9NQ] u1:s3 send UPDATE 210.2.1.0/24 IPv4 unicast 2024/06/18 00:11:35 BGP: [HVRWP-5R9NQ] u1:s3 send UPDATE 210.2.2.0/24 IPv4 unicast 2024/06/18 00:11:35 BGP: [HVRWP-5R9NQ] u1:s3 send UPDATE 210.2.3.0/24 IPv4 unicast 2024/06/18 00:11:35 BGP: [HVRWP-5R9NQ] u1:s3 send UPDATE 210.2.4.0/24 IPv4 unicast 2024/06/18 00:11:35 BGP: [HVRWP-5R9NQ] u1:s3 send UPDATE 210.2.5.0/24 IPv4 unicast 2024/06/18 00:11:35 BGP: [HVRWP-5R9NQ] u1:s3 send UPDATE 210.2.6.0/24 IPv4 unicast 2024/06/18 00:11:35 BGP: [HVRWP-5R9NQ] u1:s3 send UPDATE 210.3.1.0/24 IPv4 unicast 2024/06/18 00:11:35 BGP: [WEV7K-2GAQ5] u1:s3 send UPDATE len 96 (max message len: 65535) numpfx 9 2024/06/18 00:11:35 BGP: [MBFVT-8GSC6] u1:s3 210.2.0.2 send UPDATE w/ nexthop 210.2.0.1 2024/06/18 00:11:35 BGP: [TN0HX-6G1RR] u1:s3 send UPDATE w/ attr: nexthop 0.0.0.0, localpref 0, metric 0, community graceful-shutdown, path 2024/06/18 00:11:35 BGP: [HVRWP-5R9NQ] u1:s3 send UPDATE 133.133.133.133/32 IPv4 unicast mlx-4600ca1-01(config-router)#no neighbor 210.2.0.2 graceful-shutdown logs: 024/06/18 00:12:59 BGP: [MS8ZT-QEXJ8] u2:s6 210.2.0.2 announcing routes 2024/06/18 00:13:00 BGP: [TN0HX-6G1RR] u1:s5 send UPDATE w/ attr: nexthop 0.0.0.0, origin ?, path 201 200 2024/06/18 00:13:00 BGP: [HVRWP-5R9NQ] u1:s5 send UPDATE 20.10.10.2/32 IPv4 unicast 2024/06/18 00:13:00 BGP: [HVRWP-5R9NQ] u1:s5 send UPDATE 210.2.0.0/24 IPv4 unicast 2024/06/18 00:13:00 BGP: [HVRWP-5R9NQ] u1:s5 send UPDATE 210.2.1.0/24 IPv4 unicast 2024/06/18 00:13:00 BGP: [HVRWP-5R9NQ] u1:s5 send UPDATE 210.2.2.0/24 IPv4 unicast 2024/06/18 00:13:00 BGP: [HVRWP-5R9NQ] u1:s5 send UPDATE 210.2.3.0/24 IPv4 unicast 2024/06/18 00:13:00 BGP: [HVRWP-5R9NQ] u1:s5 send UPDATE 210.2.4.0/24 IPv4 unicast 2024/06/18 00:13:00 BGP: [HVRWP-5R9NQ] u1:s5 send UPDATE 210.2.5.0/24 IPv4 unicast 2024/06/18 00:13:00 BGP: [HVRWP-5R9NQ] u1:s5 send UPDATE 210.2.6.0/24 IPv4 unicast 2024/06/18 00:13:00 BGP: [HVRWP-5R9NQ] u1:s5 send UPDATE 210.3.1.0/24 IPv4 unicast 2024/06/18 00:13:00 BGP: [WEV7K-2GAQ5] u1:s5 send UPDATE len 89 (max message len: 65535) numpfx 9 2024/06/18 00:13:00 BGP: [MBFVT-8GSC6] u1:s5 210.2.0.2 send UPDATE w/ nexthop 210.2.0.1 2024/06/18 00:13:00 BGP: [TN0HX-6G1RR] u1:s5 send UPDATE w/ attr: nexthop 0.0.0.0, metric 0, path 2024/06/18 00:13:00 BGP: [HVRWP-5R9NQ] u1:s5 send UPDATE 133.133.133.133/32 IPv4 unicast 2024/06/18 00:13:00 BGP: [WEV7K-2GAQ5] u1:s5 send UPDATE len 56 (max message len: 65535) numpfx 1 default route: n2# show ip bgp 0.0.0.0/0 BGP routing table entry for 0.0.0.0/0, version 70 Paths: (1 available, best #1, table default) Advertised to non peer-group peers: mlx-4600ca1-01(210.2.0.1) n3(210.3.1.3) n3(2210:210:3:1::3) 201 100 210.2.0.1 (mlx-4600ca1-01) from mlx-4600ca1-01(210.2.0.1) (20.0.0.1) Origin IGP, metric 0, localpref 0, valid, external, bestpath-from-AS 201, best (First path received) Community: graceful-shutdown Last update: Wed Jun 26 20:20:29 2024 Signed-off-by: Vijayalaxmi Basavaraj <[email protected]>

The transposed SID value is not visible from the VPN paths. > r1# show bgp ipv4 vpn 10.0.0.0/24 > BGP routing table entry for 65001:20:10.0.0.0/24, version 3 > not allocated > Paths: (1 available, best #1) > Advertised to peers: > 2001:db8:12::2 > Local > 0.0.0.0 from 0.0.0.0 (192.0.2.1) vrf Vrf20(7) announce-nh-self > Origin incomplete, metric 0, weight 32768, valid, sourced, local, best (First path received) > Extended Community: RT:0:20 > Originator: 192.0.2.1 > Remote label: 16 > Remote SID: 2004:db8:1:1::, sid structure=[40 24 16 0 16 64] > Last update: Wed Nov 26 10:36:13 2025 Add a json field named remoteTransposedSid in json part. > r1# show bgp ipv4 vpn 10.0.0.0/24 json > "originatorId":"192.0.2.1", > "remoteLabel":16, > "remoteTransposedSid":"2004:db8:1:1:1::", > "remoteSid":"2004:db8:1:1::", > "remoteSidStructure":{ > "locatorBlockLen":40, > "locatorNodeLen":24, > "functionLen":16, > "argumentLen":0, > "transpositionLen":16, > "transpositionOffset":64 > }, Signed-off-by: Philippe Guibert <[email protected]>

Error: ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000ef8a0 at pc 0x555df66ba094 bp 0x7ffc13d67240 sp 0x7ffc13d67238 READ of size 4 at 0x6070000ef8a0 thread T0 #0 0x555df66ba093 in zebra_gr_delete_stale_route_table_afi zebra/zebra_gr.c:514 #1 0x7fd33d6db06e in event_call lib/event.c:2013 FRRouting#2 0x7fd33d5fffa1 in frr_run lib/libfrr.c:1257 FRRouting#3 0x555df66531ec in main zebra/main.c:552 FRRouting#4 0x7fd33d10c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 FRRouting#5 0x7fd33d10c304 in __libc_start_main_impl ../csu/libc-start.c:360 FRRouting#6 0x555df6626b40 in _start (/usr/lib/frr/zebra+0x1a1b40) 0x6070000ef8a0 is located 0 bytes inside of 72-byte region [0x6070000ef8a0,0x6070000ef8e8) freed by thread T0 here: #0 0x7fd33dab76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52 #1 0x7fd33d622cd5 in qfree lib/memory.c:136 FRRouting#2 0x555df66b9e5f in zebra_gr_client_info_delete zebra/zebra_gr.c:130 FRRouting#3 0x555df66bc66f in zread_client_capabilities zebra/zebra_gr.c:355 FRRouting#4 0x555df66a025c in zserv_handle_commands zebra/zapi_msg.c:4228 FRRouting#5 0x555df67cde33 in zserv_process_messages zebra/zserv.c:565 FRRouting#6 0x7fd33d6db06e in event_call lib/event.c:2013 FRRouting#7 0x7fd33d5fffa1 in frr_run lib/libfrr.c:1257 FRRouting#8 0x555df66531ec in main zebra/main.c:552 FRRouting#9 0x7fd33d10c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 previously allocated by thread T0 here: #0 0x7fd33dab83b7 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77 #1 0x7fd33d6223e2 in qcalloc lib/memory.c:111 FRRouting#2 0x555df66bbace in zebra_gr_client_info_create zebra/zebra_gr.c:101 FRRouting#3 0x555df66bbace in zread_client_capabilities zebra/zebra_gr.c:360 FRRouting#4 0x555df66a025c in zserv_handle_commands zebra/zapi_msg.c:4228 FRRouting#5 0x555df67cde33 in zserv_process_messages zebra/zserv.c:565 FRRouting#6 0x7fd33d6db06e in event_call lib/event.c:2013 FRRouting#7 0x7fd33d5fffa1 in frr_run lib/libfrr.c:1257 FRRouting#8 0x555df66531ec in main zebra/main.c:552 FRRouting#9 0x7fd33d10c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Signed-off-by: Pooja Jagadeesh Doijode <[email protected]>

When using the 'sid vpn per-vrf export explicit' command, there is no control to know if the sid func part is corretly encoded in the BGP update. If the func part is over the 20 bit value, then there is missing information, and summing up the label and the sid info is not enough. For instance, the value cece:2222 has to be encoded in the 32 bit func part. > segment-routing > srv6 > locators > locator loc1 > prefix fc00:0:5::/48 block-len 32 node-len 16 func-bits 32 > ! > ! > ! > ! > router bgp 5 vrf vrf10 > address-family ipv6 unicast > sid vpn export explicit fc00:0:5:cece:2222:: > [..] But BGP does not know how to encode the whole SID information. > rt5# show bgp ipv6 vpn 2001:db9:10::/64 > BGP routing table entry for 5:10:2001:db9:10::/64, version 1 > not allocated > Paths: (1 available, best #1) > Advertised to peers: > fc00:0:1::1 > Local > :: from :: (5.5.5.5) vrf vrf10(7) announce-nh-self > Origin incomplete, metric 0, weight 32768, valid, sourced, local, best (First path received) > Extended Community: RT:99:99 > Originator: 5.5.5.5 > Remote label: 0 > Remote SID: fc00:0:5:: > Last update: Mon Jun 30 17:15:50 2025 In the case, the function bit length of the locator is over 20 bits, consider encoding the SID in the prefix SID TLV, and do not use the label value. > rt1# show bgp ipv6 vpn 2001:db9:10::/64 > BGP routing table entry for 5:10:2001:db9:10::/64, version 1 > not allocated > Paths: (1 available, best #1) > Advertised to peers: > fc00:0:5::1 fc00:0:6::1 > 5 > fc00:0:5::1 (metric 20) from fc00:0:5::1 (5.5.5.5) > Origin incomplete, metric 0, valid, external, best (First path received) > Extended Community: RT:99:99 > Remote label: 3 > Remote SID: fc00:0:5:cece:2222:: > Last update: Mon Jun 30 17:00:05 2025 Signed-off-by: Philippe Guibert <[email protected]>

Before: tor-21# show bgp l2vpn evpn route rd 144.1.1.2:6 EVPN type-1 prefix: [1]:[EthTag]:[ESI]:[IPlen]:[VTEP-IP]:[Frag-id] EVPN type-2 prefix: [2]:[EthTag]:[MAClen]:[MAC] EVPN type-3 prefix: [3]:[EthTag]:[IPlen]:[OrigIP] EVPN type-4 prefix: [4]:[ESI]:[IPlen]:[OrigIP] EVPN type-5 prefix: [5]:[EthTag]:[IPlen]:[IP] BGP routing table entry for 144.1.1.2:6:[5]:[0]:[24]:[50.1.110.0] Paths: (2 available, best #1) Advertised to peers: leaf-21(swp1) leaf-22(swp2) Route [5]:[0]:[24]:[50.1.110.0] VNI 104001 651004 652000 651001 660000 0.0.0.0(leaf-21) from leaf-21(swp1) (6.0.0.26) Origin incomplete, valid, external, multipath, bestpath-from-AS 651004, best (Router ID) Extended Community: RT:4640:104001 ET:8 Rmac:00:00:10:00:01:08 Last update: Mon Sep 29 04:06:01 2025 Route [5]:[0]:[24]:[50.1.110.0] VNI 104001 651004 652000 651001 660000 0.0.0.0(leaf-22) from leaf-22(swp2) (6.0.0.27) Origin incomplete, valid, external, multipath Extended Community: RT:4640:104001 ET:8 Rmac:00:00:10:00:01:08 Last update: Mon Sep 29 04:06:01 2025 After: tor-21# show bgp l2vpn evpn route rd 144.1.1.2:6 EVPN type-1 prefix: [1]:[EthTag]:[ESI]:[IPlen]:[VTEP-IP]:[Frag-id] EVPN type-2 prefix: [2]:[EthTag]:[MAClen]:[MAC] EVPN type-3 prefix: [3]:[EthTag]:[IPlen]:[OrigIP] EVPN type-4 prefix: [4]:[ESI]:[IPlen]:[OrigIP] EVPN type-5 prefix: [5]:[EthTag]:[IPlen]:[IP] BGP routing table entry for 144.1.1.2:6:[5]:[0]:[24]:[50.1.110.0] Paths: (2 available, best #1) Advertised to peers: leaf-21(swp1) leaf-22(swp2) Route [5]:[0]:[24]:[50.1.110.0] VNI 104001 651004 652000 651001 660000 2006:27:27::1(leaf-21) from leaf-21(swp1) (6.0.0.26) Origin incomplete, valid, external, multipath, bestpath-from-AS 651004, best (Router ID) Extended Community: RT:4640:104001 ET:8 Rmac:00:00:10:00:01:08 Last update: Mon Sep 29 00:36:28 2025 Route [5]:[0]:[24]:[50.1.110.0] VNI 104001 651004 652000 651001 660000 2006:27:27::1(leaf-22) from leaf-22(swp2) (6.0.0.27) Origin incomplete, valid, external, multipath Extended Community: RT:4640:104001 ET:8 Rmac:00:00:10:00:01:08 Last update: Mon Sep 29 00:36:28 2025 Signed-off-by: Chirag Shah <[email protected]>

The following crash happens, when moving from level-2 to level-1 an isis flex-algorithm configuration > warning: 44 ./nptl/pthread_kill.c: No such file or directory > [Current thread is 1 (Thread 0x7108d4cb2980 (LWP 1023))] > (gdb) bt > #0 __pthread_kill_implementation (no_tid=0, signo=11, > threadid=<optimized out>) at ./nptl/pthread_kill.c:44 > #1 __pthread_kill_internal (signo=11, threadid=<optimized out>) > at ./nptl/pthread_kill.c:78 > FRRouting#2 __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=11) > at ./nptl/pthread_kill.c:89 > FRRouting#3 0x00007108d3e4527e in __GI_raise (sig=11) at ../sysdeps/posix/raise.c:26 > FRRouting#4 0x00007108d4b44926 in core_handler (signo=11, siginfo=0x7ffe7c10fb30, > context=0x7ffe7c10fa00) > at /build/make-pkg/output/_packages/cp-routing/src/lib/sigevent.c:248 > FRRouting#5 <signal handler called> > FRRouting#6 0x00005b5d803bf07b in isis_spf_invalidate_routes (tree=0x0) > at /build/make-pkg/output/_packages/cp-routing/src/isisd/isis_spf.c:2118 > FRRouting#7 0x00005b5d803fb23e in isis_area_invalidate_routes (area=0x5b5db8d5be40, > levels=1) > at /build/make-pkg/output/_packages/cp-routing/src/isisd/isisd.c:3152 > FRRouting#8 0x00005b5d803bf280 in isis_run_spf_cb (thread=0x7ffe7c110180) > at /build/make-pkg/output/_packages/cp-routing/src/isisd/isis_spf.c:2165 > FRRouting#9 0x00007108d4b5ff7f in event_call (thread=0x7ffe7c110180) > at /build/make-pkg/output/_packages/cp-routing/src/lib/event.c:2011 > FRRouting#10 0x00007108d4adb761 in frr_run (master=0x5b5db7f7ca40) > at /build/make-pkg/output/_packages/cp-routing/src/lib/libfrr.c:1219 > FRRouting#11 0x00005b5d8038333a in main (argc=5, argv=0x7ffe7c1103d8, > --Type <RET> for more, q to quit, c to continue without paging-- > envp=0x7ffe7c110408) > at /build/make-pkg/output/_packages/cp-routing/src/isisd/isis_main.c:360 > (gdb) Fix this by adding protection before invalidating all routes. Signed-off-by: Philippe Guibert <[email protected]>

github-actions bot added the srv6-usid label Feb 23, 2023

cscarpitta requested changes May 8, 2023

View reviewed changes

zice312963205 requested a review from cscarpitta May 10, 2023 03:46

cscarpitta requested changes May 15, 2023

View reviewed changes

zice312963205 added 3 commits May 17, 2023 13:55

doc: add new command 'redistribute vrf <VRFNAME>'

386a0a7

Signed-off-by: Jack.Zhang <[email protected]>

tests: add test for BGP vrf route copying behavior

2ec611b

This commit adds a new test case.The new test case performs three operations: install routes in vrf1. set redistribute vrf vrf1 command on vrf2. check the copying routes by vrf1 in vrf2. Signed-off-by: Jack.Zhang <[email protected]>

zice312963205 requested a review from cscarpitta May 17, 2023 06:00

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

support redistribute vrf function #1

support redistribute vrf function #1

Uh oh!

zice312963205 commented Feb 23, 2023 •

edited

Loading

Uh oh!

cscarpitta commented Feb 27, 2023

Uh oh!

cscarpitta May 8, 2023

Uh oh!

zice312963205 May 10, 2023

Uh oh!

cscarpitta May 15, 2023

Uh oh!

zice312963205 May 17, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

support redistribute vrf function #1

support redistribute vrf function #1

Uh oh!

Conversation

zice312963205 commented Feb 23, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

cscarpitta commented Feb 27, 2023

Uh oh!

cscarpitta May 8, 2023

Choose a reason for hiding this comment

Uh oh!

zice312963205 May 10, 2023

Choose a reason for hiding this comment

Uh oh!

cscarpitta May 15, 2023

Choose a reason for hiding this comment

Uh oh!

zice312963205 May 17, 2023

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

zice312963205 commented Feb 23, 2023 •

edited

Loading