Use of uninitialized data in bgp #17144
Description
Description
This commit:
sharpd@eva ~/frr2 ((3c86f776…)|BISECTING)> git bisect good
ca32945b1fd694d10307d2885df62251f46bf581 is the first bad commit
commit ca32945b1fd694d10307d2885df62251f46bf581
Author: Louis Scalbert <louis.scalbert@6wind.com>
Date: Mon Feb 26 18:23:11 2024 +0100
bgpd: move labels from extra to extra->labels
Move labels from extra to extra->labels. Labels are now stored in a hash
list.
Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>
Causes these issues w/ valgrind:
==2604205== Conditional jump or move depends on uninitialised value(s)
==2604205== at 0x26F026: bgp_labels_unintern (bgp_label.c:116)
==2604205== by 0x2B0980: bgp_path_info_extra_free (bgp_route.c:309)
==2604205== by 0x394749: rfapiBgpInfoFree (rfapi_import.c:488)
==2604205== by 0x398EE3: rfapiWithdrawTimerVPN (rfapi_import.c:2443)
==2604205== by 0x39AF41: rfapiExpireVpnNow (rfapi_import.c:3298)
==2604205== by 0x39BB35: rfapiBgpInfoFilteredImportVPN (rfapi_import.c:3559)
==2604205== by 0x39CBDC: rfapiProcessWithdraw (rfapi_import.c:3986)
==2604205== by 0x2BEC99: bgp_withdraw (bgp_route.c:5489)
==2604205== by 0x27DA9B: bgp_nlri_parse_vpn (bgp_mplsvpn.c:247)
==2604205== by 0x296AE5: bgp_nlri_parse (bgp_packet.c:348)
==2604205== by 0x29C1C9: bgp_update_receive (bgp_packet.c:2491)
==2604205== by 0x2A0F17: bgp_process_packet (bgp_packet.c:4095)
==2604205== by 0x49E06F1: event_call (event.c:2001)
==2604205== by 0x495AB8B: frr_run (libfrr.c:1238)
==2604205== by 0x200C4B: main (bgp_main.c:555)
==2604205==
==2604205== Conditional jump or move depends on uninitialised value(s)
==2604205== at 0x26F026: bgp_labels_unintern (bgp_label.c:116)
==2604205== by 0x3D533B: bgp_adj_in_remove (bgp_advertise.c:197)
==2604205== by 0x3D5471: bgp_adj_in_unset (bgp_advertise.c:221)
==2604205== by 0x2BED69: bgp_withdraw (bgp_route.c:5512)
==2604205== by 0x27DA9B: bgp_nlri_parse_vpn (bgp_mplsvpn.c:247)
==2604205== by 0x296AE5: bgp_nlri_parse (bgp_packet.c:348)
==2604205== by 0x29C1C9: bgp_update_receive (bgp_packet.c:2491)
==2604205== by 0x2A0F17: bgp_process_packet (bgp_packet.c:4095)
==2604205== by 0x49E06F1: event_call (event.c:2001)
==2604205== by 0x495AB8B: frr_run (libfrr.c:1238)
==2604205== by 0x200C4B: main (bgp_main.c:555)
==2604205==
==2604205== Conditional jump or move depends on uninitialised value(s)
==2604205== at 0x26F026: bgp_labels_unintern (bgp_label.c:116)
==2604205== by 0x2B0980: bgp_path_info_extra_free (bgp_route.c:309)
==2604205== by 0x2B0B6C: bgp_path_info_free_with_caller (bgp_route.c:357)
==2604205== by 0x2B0C85: bgp_path_info_unlock (bgp_route.c:380)
==2604205== by 0x2B12A2: bgp_path_info_reap (bgp_route.c:535)
==2604205== by 0x2BA0D2: bgp_process_main_one (bgp_route.c:3871)
==2604205== by 0x2BA788: bgp_process_wq (bgp_route.c:3978)
==2604205== by 0x49F29FB: work_queue_run (workqueue.c:282)
==2604205== by 0x49E06F1: event_call (event.c:2001)
==2604205== by 0x495AB8B: frr_run (libfrr.c:1238)
==2604205== by 0x200C4B: main (bgp_main.c:555)
==2604205==
==2604205== Conditional jump or move depends on uninitialised value(s)
==2604205== at 0x26F026: bgp_labels_unintern (bgp_label.c:116)
==2604205== by 0x30000C: adj_free (bgp_updgrp_adv.c:81)
==2604205== by 0x3019EE: bgp_adj_out_remove_subgroup (bgp_updgrp_adv.c:728)
==2604205== by 0x30537C: subgroup_withdraw_packet (bgp_updgrp_packet.c:1042)
==2604205== by 0x2970AF: bgp_generate_updgrp_packets (bgp_packet.c:508)
==2604205== by 0x49E06F1: event_call (event.c:2001)
==2604205== by 0x495AB8B: frr_run (libfrr.c:1238)
==2604205== by 0x200C4B: main (bgp_main.c:555)
11:24
==2604268== Use of uninitialised value of size 8
==2604268== at 0x4942F1F: hash_get (hash.c:140)
==2604268== by 0x26EFC1: bgp_labels_intern (bgp_label.c:97)
==2604268== by 0x28077B: leak_update (bgp_mplsvpn.c:1298)
==2604268== by 0x2824A3: vpn_leak_from_vrf_update (bgp_mplsvpn.c:1932)
==2604268== by 0x2C281C: bgp_static_update (bgp_route.c:6974)
==2604268== by 0x2C366F: bgp_static_set (bgp_route.c:7263)
==2604268== by 0x2C435B: bgp_network_magic (bgp_route.c:7556)
==2604268== by 0x2ACF09: bgp_network (bgp_route_clippy.c:86)
==2604268== by 0x4914EE7: cmd_execute_command_real (command.c:1003)
==2604268== by 0x4915060: cmd_execute_command (command.c:1062)
==2604268== by 0x4915610: cmd_execute (command.c:1228)
==2604268== by 0x49E7C32: vty_command (vty.c:625)
==2604268== by 0x49E9B56: vty_execute (vty.c:1388)
==2604268== by 0x49EC331: vtysh_read (vty.c:2400)
==2604268== by 0x49E06F1: event_call (event.c:2001)
==2604268== by 0x495AB8B: frr_run (libfrr.c:1238)
==2604268== by 0x200C4B: main (bgp_main.c:555)
==2604268==
==2604268== Use of uninitialised value of size 8
==2604268== at 0x4943016: hash_get (hash.c:159)
==2604268== by 0x26EFC1: bgp_labels_intern (bgp_label.c:97)
==2604268== by 0x28077B: leak_update (bgp_mplsvpn.c:1298)
==2604268== by 0x2824A3: vpn_leak_from_vrf_update (bgp_mplsvpn.c:1932)
==2604268== by 0x2C281C: bgp_static_update (bgp_route.c:6974)
==2604268== by 0x2C366F: bgp_static_set (bgp_route.c:7263)
==2604268== by 0x2C435B: bgp_network_magic (bgp_route.c:7556)
==2604268== by 0x2ACF09: bgp_network (bgp_route_clippy.c:86)
==2604268== by 0x4914EE7: cmd_execute_command_real (command.c:1003)
==2604268== by 0x4915060: cmd_execute_command (command.c:1062)
==2604268== by 0x4915610: cmd_execute (command.c:1228)
==2604268== by 0x49E7C32: vty_command (vty.c:625)
==2604268== by 0x49E9B56: vty_execute (vty.c:1388)
==2604268== by 0x49EC331: vtysh_read (vty.c:2400)
==2604268== by 0x49E06F1: event_call (event.c:2001)
==2604268== by 0x495AB8B: frr_run (libfrr.c:1238)
==2604268== by 0x200C4B: main (bgp_main.c:555)
==2604268==
==2604268== Use of uninitialised value of size 8
==2604268== at 0x4943036: hash_get (hash.c:160)
==2604268== by 0x26EFC1: bgp_labels_intern (bgp_label.c:97)
==2604268== by 0x28077B: leak_update (bgp_mplsvpn.c:1298)
==2604268== by 0x2824A3: vpn_leak_from_vrf_update (bgp_mplsvpn.c:1932)
==2604268== by 0x2C281C: bgp_static_update (bgp_route.c:6974)
==2604268== by 0x2C366F: bgp_static_set (bgp_route.c:7263)
==2604268== by 0x2C435B: bgp_network_magic (bgp_route.c:7556)
==2604268== by 0x2ACF09: bgp_network (bgp_route_clippy.c:86)
==2604268== by 0x4914EE7: cmd_execute_command_real (command.c:1003)
==2604268== by 0x4915060: cmd_execute_command (command.c:1062)
==2604268== by 0x4915610: cmd_execute (command.c:1228)
==2604268== by 0x49E7C32: vty_command (vty.c:625)
==2604268== by 0x49E9B56: vty_execute (vty.c:1388)
==2604268== by 0x49EC331: vtysh_read (vty.c:2400)
==2604268== by 0x49E06F1: event_call (event.c:2001)
==2604268== by 0x495AB8B: frr_run (libfrr.c:1238)
==2604268== by 0x200C4B: main (bgp_main.c:555)
==2604268== Conditional jump or move depends on uninitialised value(s)
==2604268== at 0x26F026: bgp_labels_unintern (bgp_label.c:116)
==2604268== by 0x30000C: adj_free (bgp_updgrp_adv.c:81)
==2604268== by 0x3019EE: bgp_adj_out_remove_subgroup (bgp_updgrp_adv.c:728)
==2604268== by 0x30537C: subgroup_withdraw_packet (bgp_updgrp_packet.c:1042)
==2604268== by 0x2970AF: bgp_generate_updgrp_packets (bgp_packet.c:508)
==2604268== by 0x49E06F1: event_call (event.c:2001)
==2604268== by 0x495AB8B: frr_run (libfrr.c:1238)
==2604268== by 0x200C4B: main (bgp_main.c:555)
==2604268==
==2604268== Use of uninitialised value of size 8
==2604268== at 0x49431F1: hash_release (hash.c:208)
==2604268== by 0x26F03D: bgp_labels_unintern (bgp_label.c:117)
==2604268== by 0x30000C: adj_free (bgp_updgrp_adv.c:81)
==2604268== by 0x3019EE: bgp_adj_out_remove_subgroup (bgp_updgrp_adv.c:728)
==2604268== by 0x30537C: subgroup_withdraw_packet (bgp_updgrp_packet.c:1042)
==2604268== by 0x2970AF: bgp_generate_updgrp_packets (bgp_packet.c:508)
==2604268== by 0x49E06F1: event_call (event.c:2001)
==2604268== by 0x495AB8B: frr_run (libfrr.c:1238)
==2604268== by 0x200C4B: main (bgp_main.c:555)
==2604268==
==2604268== Conditional jump or move depends on uninitialised value(s)
==2604268== at 0x494320F: hash_release (hash.c:209)
==2604268== by 0x26F03D: bgp_labels_unintern (bgp_label.c:117)
==2604268== by 0x30000C: adj_free (bgp_updgrp_adv.c:81)
==2604268== by 0x3019EE: bgp_adj_out_remove_subgroup (bgp_updgrp_adv.c:728)
==2604268== by 0x30537C: subgroup_withdraw_packet (bgp_updgrp_packet.c:1042)
==2604268== by 0x2970AF: bgp_generate_updgrp_packets (bgp_packet.c:508)
==2604268== by 0x49E06F1: event_call (event.c:2001)
==2604268== by 0x495AB8B: frr_run (libfrr.c:1238)
==2604268== by 0x200C4B: main (bgp_main.c:555)
==2604268==
==2604268== Conditional jump or move depends on uninitialised value(s)
==2604268== at 0x26F118: bgp_labels_cmp (bgp_label.c:142)
==2604268== by 0x26EEE7: bgp_labels_hash_cmp (bgp_label.c:64)
==2604268== by 0x4943230: hash_release (hash.c:210)
==2604268== by 0x26F03D: bgp_labels_unintern (bgp_label.c:117)
==2604268== by 0x30000C: adj_free (bgp_updgrp_adv.c:81)
==2604268== by 0x3019EE: bgp_adj_out_remove_subgroup (bgp_updgrp_adv.c:728)
==2604268== by 0x30537C: subgroup_withdraw_packet (bgp_updgrp_packet.c:1042)
==2604268== by 0x2970AF: bgp_generate_updgrp_packets (bgp_packet.c:508)
==2604268== by 0x49E06F1: event_call (event.c:2001)
==2604268== by 0x495AB8B: frr_run (libfrr.c:1238)
==2604268== by 0x200C4B: main (bgp_main.c:555)
Version
master
How to reproduce
run bgp_bmp with --enable-valgrind. Happens every time.
Expected behavior
no uninitialized data
Actual behavior
bad stuff
Additional context
No response
Checklist
- I have searched the open issues for this bug.
- I have not included sensitive information in this report.