Skip to content

Working/2.0/patch set 161218a #15

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 6 commits into from
Closed

Working/2.0/patch set 161218a #15

wants to merge 6 commits into from

Conversation

louberger
Copy link
Member

This patch set includes changes resulting from initial regression runs with stable/2.0
Issues found include:
valgrind reported memory loss (this set doesn't fix them all)
missing vpn&encap commands (see #14)
some RFAPI?VNC patches were missing
- fix for issue reported in #9 (mislabeled as #30)
- Other changes made in November

louberger and others added 6 commits December 18, 2016 19:51
@louberger
prefix.c: replace free with XFREE for memory allocated with XMALLOC
1631fad
@louberger
bgpd: fix unitialized value check id'ed by valgrind
74f361a
@louberger
lib/command.c: fix leak id'ed by valgrind
e2c4c42
@gpziemba @louberger
BGP: deal with vnc related string ambiguities
0254f45 
- "redist foo" parsing modified to check for foo==vnc and foo==vnc-direct
  instead of just leading 'v' character
- string designating ZEBRA_ROUTE_VNC_DIRECT changed from "vpn" to "vnc-direct"
- route_types.pl parser recognizes 7th field to restrict availability
  of a route type in the redist command to specific daemons
- restrict "vnc-direct" to bgpd only (doesn't make sense elsewhere)
- vnc documentation updated to match
@louberger
bgp: first pass at restoring missing vpn&encap show commands (issue#30)
6696566
@louberger
rfapi: pickup recent changes
ddf0364 
       expose bgp_rfapi_get_group_by_lni_label for use by rfp
       add EVPN Ethernet Tag (VID) RT
       ensure as is init'ed
       fix spelling of information
donaldsharp
donaldsharp reviewed Dec 19, 2016
View reviewed changes
Copy link
Member

@donaldsharp donaldsharp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldn't the first hunk be:
&& (mpath_cfg && CHECK_FLAG(....)

Why would we want to compare cluster length if they have not configured it from the cli?

donaldsharp
donaldsharp reviewed Dec 19, 2016
View reviewed changes
bgpd/bgp_route.c
"Address family\n"
"Address Family modifier\n"
"Address Family modifier\n"
"Address family\n"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

White space changes, need to be removed.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@donaldsharp WRT && (mpath_cfg && CHECK_FLAG(....) - no as this is a passed parameter which may be NULL, i.e. not provide any config info.

donaldsharp
donaldsharp reviewed Dec 19, 2016
View reviewed changes
bgpd/bgp_route.c
@@ -8161,28 +8160,26 @@ DEFUN (show_ip_bgp_ipv4,
SHOW_STR
IP_STR
BGP_STR
"Address family\n"
"Address Family modifier\n"
"Address family\n"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

white space changes need to be removed

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@donaldsharp okay

@eqvinox
Copy link
Contributor

eqvinox commented Dec 20, 2016

@louberger can you add Signed-off-bys on these?
Also, the commit messages on ddf0364 and 0254f45 are mangled (everything was condensed into the subject line)

@louberger
Copy link
Member Author

@eqvinox I'll add signoffs, but not sure what you mean on the commits as they show fine for me in git log...

@louberger louberger closed this Dec 20, 2016
@louberger louberger deleted the working/2.0/patch-set-161218a branch January 7, 2017 14:20
@dslicenc dslicenc mentioned this pull request Feb 6, 2017
Closed
@anithanarasimhamurthy anithanarasimhamurthy mentioned this pull request May 17, 2017
Closed
@louberger louberger mentioned this pull request May 15, 2018
Closed
@donaldsharp donaldsharp mentioned this pull request Sep 21, 2018
Closed
@mdash-vmware mdash-vmware mentioned this pull request Oct 8, 2018
Closed
@karamalla0406 karamalla0406 mentioned this pull request Nov 14, 2018
Closed
@vijaykug vijaykug mentioned this pull request Nov 16, 2018
Closed
cfra referenced this pull request in opensourcerouting/frr Nov 29, 2018
@mwinter-osr
Merge pull request #15 from opensourcerouting/tgen-diag
535b887 
topotest diagnostics
@mjstapp mjstapp mentioned this pull request Mar 5, 2019
Closed
@SathishVenkatesh7 SathishVenkatesh7 mentioned this pull request Apr 29, 2019
Closed
@louberger louberger mentioned this pull request May 1, 2019
Merged
@bodleytunes bodleytunes mentioned this pull request Jun 11, 2019
Closed
@santoshdoke santoshdoke mentioned this pull request Jan 22, 2020
Closed
@Spantik Spantik mentioned this pull request Feb 21, 2020
Merged
@donaldsharp donaldsharp mentioned this pull request Jul 1, 2020
Closed
This was referenced Oct 16, 2020
Merged
Merged
pguibert6WIND added a commit to pguibert6WIND/frr that referenced this pull request Jun 20, 2025
@pguibert6WIND
lib: delay the free of vty pointer upon vty_close()
15fdbcb 
If the 'show bgp ipv4 vpn' command is interrupted during the dump of the
whole entries, then a heap use after free may appear.

> May 15 16:08:14 vRR-DUT bgpd[1647]: [N9HHH-F8H1M] %ADJCHANGE: neighbor 3.3.1.232(taastpap-scale-1) in vrf default Up
> May 15 16:08:14 vRR-DUT bgpd[1647]: [GJPH1-W8PZV] Resetting peer 3.3.1.232 due to change in addpath config
> May 15 16:08:14 vRR-DUT bgpd[1647]: [YAF85-253AP][EC 100663299] buffer_flush_available: write error on fd 70: Broken pipe
> May 15 16:08:14 vRR-DUT bgpd[1647]: [THHDB-YPEY6][EC 100663299] vtysh_flush: write error to fd 70, closing
> May 15 16:08:14 vRR-DUT bgpd[1647]: =================================================================
> May 15 16:08:14 vRR-DUT bgpd[1647]: ==1647==ERROR: AddressSanitizer: heap-use-after-free on address 0x62b001d65238 at pc 0x7efd46b83fa0 bp 0x7ffd4d598>
> May 15 16:08:14 vRR-DUT bgpd[1647]: READ of size 1 at 0x62b001d65238 thread T0
> May 15 16:08:14 vRR-DUT bgpd[1647]:     #0 0x7efd46b83f9f in vty_out (/lib/x86_64-linux-gnu/libfrr.so.0+0x383f9f)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#1 0x5570c0a4e7d2 in aspath_print_vty /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_aspath.c:2308
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#2 0x5570c08a8ce6 in route_vty_out /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_route.c:9565
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#3 0x5570c08b5b65 in bgp_show_table /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_route.c:11751
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#4 0x5570c08b677f in bgp_show_table_rd /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_route.c:11915
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#5 0x5570c08b6d1c in bgp_show /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_route.c:11964
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#6 0x5570c08bcb03 in show_ip_bgp_magic /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_route.c:13134
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#7 0x5570c086f616 in show_ip_bgp bgpd/bgp_route_clippy.c:514
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#8 0x7efd469b38b6  (/lib/x86_64-linux-gnu/libfrr.so.0+0x1b38b6)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#9 0x7efd469b3c43 in cmd_execute_command (/lib/x86_64-linux-gnu/libfrr.so.0+0x1b3c43)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#10 0x7efd469b4915 in cmd_execute (/lib/x86_64-linux-gnu/libfrr.so.0+0x1b4915)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#11 0x7efd46b8581a  (/lib/x86_64-linux-gnu/libfrr.so.0+0x38581a)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#12 0x7efd46b8a6ff  (/lib/x86_64-linux-gnu/libfrr.so.0+0x38a6ff)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#13 0x7efd46b90f90  (/lib/x86_64-linux-gnu/libfrr.so.0+0x390f90)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#14 0x7efd46b75257 in event_call (/lib/x86_64-linux-gnu/libfrr.so.0+0x375257)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#15 0x7efd46a42ecf in frr_run (/lib/x86_64-linux-gnu/libfrr.so.0+0x242ecf)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#16 0x5570c06bf804 in main /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_main.c:545
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#17 0x7efd46429d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#18 0x7efd46429e3f in __libc_start_main_impl ../csu/libc-start.c:392
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#19 0x5570c06bc384 in _start (/usr/bin/bgpd+0x272384)
> May 15 16:08:14 vRR-DUT bgpd[1647]: 0x62b001d65238 is located 56 bytes inside of 26536-byte region [0x62b001d65200,0x62b001d6b9a8)
> May 15 16:08:14 vRR-DUT bgpd[1647]: freed by thread T0 here:
> May 15 16:08:14 vRR-DUT bgpd[1647]:     #0 0x7efd470b4537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#1 0x7efd46a6f930 in qfree (/lib/x86_64-linux-gnu/libfrr.so.0+0x26f930)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#2 0x7efd46b92467 in vty_close (/lib/x86_64-linux-gnu/libfrr.so.0+0x392467)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#3 0x7efd46b8fd4c  (/lib/x86_64-linux-gnu/libfrr.so.0+0x38fd4c)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#4 0x7efd46b83f60 in vty_out (/lib/x86_64-linux-gnu/libfrr.so.0+0x383f60)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#5 0x5570c0a4e7d2 in aspath_print_vty /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_aspath.c:2308
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#6 0x5570c08a8ce6 in route_vty_out /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_route.c:9565
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#7 0x5570c08b5b65 in bgp_show_table /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_route.c:11751
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#8 0x5570c08b677f in bgp_show_table_rd /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_route.c:11915
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#9 0x5570c08b6d1c in bgp_show /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_route.c:11964
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#10 0x5570c08bcb03 in show_ip_bgp_magic /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_route.c:13134
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#11 0x5570c086f616 in show_ip_bgp bgpd/bgp_route_clippy.c:514
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#12 0x7efd469b38b6  (/lib/x86_64-linux-gnu/libfrr.so.0+0x1b38b6)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#13 0x7efd469b3c43 in cmd_execute_command (/lib/x86_64-linux-gnu/libfrr.so.0+0x1b3c43)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#14 0x7efd469b4915 in cmd_execute (/lib/x86_64-linux-gnu/libfrr.so.0+0x1b4915)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#15 0x7efd46b8581a  (/lib/x86_64-linux-gnu/libfrr.so.0+0x38581a)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#16 0x7efd46b8a6ff  (/lib/x86_64-linux-gnu/libfrr.so.0+0x38a6ff)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#17 0x7efd46b90f90  (/lib/x86_64-linux-gnu/libfrr.so.0+0x390f90)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#18 0x7efd46b75257 in event_call (/lib/x86_64-linux-gnu/libfrr.so.0+0x375257)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#19 0x7efd46a42ecf in frr_run (/lib/x86_64-linux-gnu/libfrr.so.0+0x242ecf)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#20 0x5570c06bf804 in main /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_main.c:545
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#21 0x7efd46429d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
> May 15 16:08:14 vRR-DUT bgpd[1647]: previously allocated by thread T0 here:
> May 15 16:08:14 vRR-DUT bgpd[1647]:     #0 0x7efd470b4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#1 0x7efd46a6f7de in qcalloc (/lib/x86_64-linux-gnu/libfrr.so.0+0x26f7de)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#2 0x7efd46b8c5ba in vty_new (/lib/x86_64-linux-gnu/libfrr.so.0+0x38c5ba)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#3 0x7efd46b8f0fe  (/lib/x86_64-linux-gnu/libfrr.so.0+0x38f0fe)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#4 0x7efd46b75257 in event_call (/lib/x86_64-linux-gnu/libfrr.so.0+0x375257)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#5 0x7efd46a42ecf in frr_run (/lib/x86_64-linux-gnu/libfrr.so.0+0x242ecf)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#6 0x5570c06bf804 in main /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_main.c:545
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#7 0x7efd46429d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
> May 15 16:08:14 vRR-DUT bgpd[1647]: SUMMARY: AddressSanitizer: heap-use-after-free (/lib/x86_64-linux-gnu/libfrr.so.0+0x383f9f) in vty_out
> May 15 16:08:14 vRR-DUT bgpd[1647]: Shadow bytes around the buggy address:
> May 15 16:08:14 vRR-DUT bgpd[1647]:   0x0c56803a49f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> May 15 16:08:14 vRR-DUT bgpd[1647]:   0x0c56803a4a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> May 15 16:08:14 vRR-DUT bgpd[1647]:   0x0c56803a4a10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> May 15 16:08:14 vRR-DUT bgpd[1647]:   0x0c56803a4a20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> May 15 16:08:14 vRR-DUT bgpd[1647]:   0x0c56803a4a30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> May 15 16:08:14 vRR-DUT bgpd[1647]: =>0x0c56803a4a40: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
> May 15 16:08:14 vRR-DUT bgpd[1647]:   0x0c56803a4a50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> May 15 16:08:14 vRR-DUT bgpd[1647]:   0x0c56803a4a60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> May 15 16:08:14 vRR-DUT bgpd[1647]:   0x0c56803a4a70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> May 15 16:08:14 vRR-DUT bgpd[1647]:   0x0c56803a4a80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> May 15 16:08:14 vRR-DUT bgpd[1647]:   0x0c56803a4a90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> May 15 16:08:14 vRR-DUT bgpd[1647]: Shadow byte legend (one shadow byte represents 8 application bytes):
> May 15 16:08:14 vRR-DUT bgpd[1647]:   Addressable:           00
> May 15 16:08:14 vRR-DUT bgpd[1647]:   Partially addressable: 01 02 03 04 05 06 07
> May 15 16:08:14 vRR-DUT bgpd[1647]:   Heap left redzone:       fa
> May 15 16:08:14 vRR-DUT bgpd[1647]:   Freed heap region:       fd
> May 15 16:08:14 vRR-DUT bgpd[1647]:   Stack left redzone:      f1
> May 15 16:08:14 vRR-DUT bgpd[1647]:   Stack mid redzone:       f2
> May 15 16:08:14 vRR-DUT bgpd[1647]:   Stack right redzone:     f3
> May 15 16:08:14 vRR-DUT bgpd[1647]:   Stack after return:      f5
> May 15 16:08:14 vRR-DUT bgpd[1647]:   Stack use after scope:   f8
> May 15 16:08:14 vRR-DUT bgpd[1647]:   Global redzone:          f9
> May 15 16:08:14 vRR-DUT bgpd[1647]:   Global init order:       f6
> May 15 16:08:14 vRR-DUT bgpd[1647]:   Poisoned by user:        f7
> May 15 16:08:14 vRR-DUT bgpd[1647]:   Container overflow:      fc
> May 15 16:08:14 vRR-DUT bgpd[1647]:   Array cookie:            ac
> May 15 16:08:14 vRR-DUT bgpd[1647]:   Intra object redzone:    bb
> May 15 16:08:14 vRR-DUT bgpd[1647]:   ASan internal:           fe
> May 15 16:08:14 vRR-DUT bgpd[1647]:   Left alloca redzone:     ca
> May 15 16:08:14 vRR-DUT bgpd[1647]:   Right alloca redzone:    cb
> May 15 16:08:14 vRR-DUT bgpd[1647]:   Shadow gap:              cc
> May 15 16:08:14 vRR-DUT bgpd[1647]: ==1647==ABORTING

The vty_out() function detects a BROKEN PIPE error during the call of
vtysh_flush() call, and closes the vty pointer. Consequently, the next
vty_out() calls may use an invalid vty pointer.

The call to vtysh_flush() has been added in a previous commit: this call
does a syncronous write, which triggers the error.

Propose to delay the removal of the vty pointer at the next scheduling.
Until that event, keep the vty structure at CLOSE state. The show
function will eventually detect the invalid vty status, and will
anticipate the end of the show command.

Fixes: 9112fb3 ("lib: Memory spike reduction for sh cmds at scale")
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
pguibert6WIND added a commit to pguibert6WIND/frr that referenced this pull request Jun 20, 2025
@pguibert6WIND
lib: delay the free of vty pointer upon vty_close()
f862b23 
If the 'show bgp ipv4 vpn' command is interrupted during the dump of the
whole entries, then a heap use after free may appear.

> May 15 16:08:14 vRR-DUT bgpd[1647]: [N9HHH-F8H1M] %ADJCHANGE: neighbor 3.3.1.232(taastpap-scale-1) in vrf default Up
> May 15 16:08:14 vRR-DUT bgpd[1647]: [GJPH1-W8PZV] Resetting peer 3.3.1.232 due to change in addpath config
> May 15 16:08:14 vRR-DUT bgpd[1647]: [YAF85-253AP][EC 100663299] buffer_flush_available: write error on fd 70: Broken pipe
> May 15 16:08:14 vRR-DUT bgpd[1647]: [THHDB-YPEY6][EC 100663299] vtysh_flush: write error to fd 70, closing
> May 15 16:08:14 vRR-DUT bgpd[1647]: =================================================================
> May 15 16:08:14 vRR-DUT bgpd[1647]: ==1647==ERROR: AddressSanitizer: heap-use-after-free on address 0x62b001d65238 at pc 0x7efd46b83fa0 bp 0x7ffd4d598>
> May 15 16:08:14 vRR-DUT bgpd[1647]: READ of size 1 at 0x62b001d65238 thread T0
> May 15 16:08:14 vRR-DUT bgpd[1647]:     #0 0x7efd46b83f9f in vty_out (/lib/x86_64-linux-gnu/libfrr.so.0+0x383f9f)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#1 0x5570c0a4e7d2 in aspath_print_vty /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_aspath.c:2308
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#2 0x5570c08a8ce6 in route_vty_out /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_route.c:9565
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#3 0x5570c08b5b65 in bgp_show_table /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_route.c:11751
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#4 0x5570c08b677f in bgp_show_table_rd /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_route.c:11915
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#5 0x5570c08b6d1c in bgp_show /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_route.c:11964
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#6 0x5570c08bcb03 in show_ip_bgp_magic /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_route.c:13134
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#7 0x5570c086f616 in show_ip_bgp bgpd/bgp_route_clippy.c:514
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#8 0x7efd469b38b6  (/lib/x86_64-linux-gnu/libfrr.so.0+0x1b38b6)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#9 0x7efd469b3c43 in cmd_execute_command (/lib/x86_64-linux-gnu/libfrr.so.0+0x1b3c43)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#10 0x7efd469b4915 in cmd_execute (/lib/x86_64-linux-gnu/libfrr.so.0+0x1b4915)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#11 0x7efd46b8581a  (/lib/x86_64-linux-gnu/libfrr.so.0+0x38581a)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#12 0x7efd46b8a6ff  (/lib/x86_64-linux-gnu/libfrr.so.0+0x38a6ff)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#13 0x7efd46b90f90  (/lib/x86_64-linux-gnu/libfrr.so.0+0x390f90)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#14 0x7efd46b75257 in event_call (/lib/x86_64-linux-gnu/libfrr.so.0+0x375257)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#15 0x7efd46a42ecf in frr_run (/lib/x86_64-linux-gnu/libfrr.so.0+0x242ecf)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#16 0x5570c06bf804 in main /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_main.c:545
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#17 0x7efd46429d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#18 0x7efd46429e3f in __libc_start_main_impl ../csu/libc-start.c:392
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#19 0x5570c06bc384 in _start (/usr/bin/bgpd+0x272384)
> May 15 16:08:14 vRR-DUT bgpd[1647]: 0x62b001d65238 is located 56 bytes inside of 26536-byte region [0x62b001d65200,0x62b001d6b9a8)
> May 15 16:08:14 vRR-DUT bgpd[1647]: freed by thread T0 here:
> May 15 16:08:14 vRR-DUT bgpd[1647]:     #0 0x7efd470b4537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#1 0x7efd46a6f930 in qfree (/lib/x86_64-linux-gnu/libfrr.so.0+0x26f930)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#2 0x7efd46b92467 in vty_close (/lib/x86_64-linux-gnu/libfrr.so.0+0x392467)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#3 0x7efd46b8fd4c  (/lib/x86_64-linux-gnu/libfrr.so.0+0x38fd4c)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#4 0x7efd46b83f60 in vty_out (/lib/x86_64-linux-gnu/libfrr.so.0+0x383f60)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#5 0x5570c0a4e7d2 in aspath_print_vty /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_aspath.c:2308
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#6 0x5570c08a8ce6 in route_vty_out /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_route.c:9565
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#7 0x5570c08b5b65 in bgp_show_table /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_route.c:11751
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#8 0x5570c08b677f in bgp_show_table_rd /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_route.c:11915
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#9 0x5570c08b6d1c in bgp_show /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_route.c:11964
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#10 0x5570c08bcb03 in show_ip_bgp_magic /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_route.c:13134
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#11 0x5570c086f616 in show_ip_bgp bgpd/bgp_route_clippy.c:514
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#12 0x7efd469b38b6  (/lib/x86_64-linux-gnu/libfrr.so.0+0x1b38b6)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#13 0x7efd469b3c43 in cmd_execute_command (/lib/x86_64-linux-gnu/libfrr.so.0+0x1b3c43)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#14 0x7efd469b4915 in cmd_execute (/lib/x86_64-linux-gnu/libfrr.so.0+0x1b4915)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#15 0x7efd46b8581a  (/lib/x86_64-linux-gnu/libfrr.so.0+0x38581a)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#16 0x7efd46b8a6ff  (/lib/x86_64-linux-gnu/libfrr.so.0+0x38a6ff)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#17 0x7efd46b90f90  (/lib/x86_64-linux-gnu/libfrr.so.0+0x390f90)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#18 0x7efd46b75257 in event_call (/lib/x86_64-linux-gnu/libfrr.so.0+0x375257)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#19 0x7efd46a42ecf in frr_run (/lib/x86_64-linux-gnu/libfrr.so.0+0x242ecf)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#20 0x5570c06bf804 in main /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_main.c:545
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#21 0x7efd46429d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
> May 15 16:08:14 vRR-DUT bgpd[1647]: previously allocated by thread T0 here:
> May 15 16:08:14 vRR-DUT bgpd[1647]:     #0 0x7efd470b4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#1 0x7efd46a6f7de in qcalloc (/lib/x86_64-linux-gnu/libfrr.so.0+0x26f7de)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#2 0x7efd46b8c5ba in vty_new (/lib/x86_64-linux-gnu/libfrr.so.0+0x38c5ba)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#3 0x7efd46b8f0fe  (/lib/x86_64-linux-gnu/libfrr.so.0+0x38f0fe)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#4 0x7efd46b75257 in event_call (/lib/x86_64-linux-gnu/libfrr.so.0+0x375257)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#5 0x7efd46a42ecf in frr_run (/lib/x86_64-linux-gnu/libfrr.so.0+0x242ecf)
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#6 0x5570c06bf804 in main /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_main.c:545
> May 15 16:08:14 vRR-DUT bgpd[1647]:     FRRouting#7 0x7efd46429d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
> May 15 16:08:14 vRR-DUT bgpd[1647]: SUMMARY: AddressSanitizer: heap-use-after-free (/lib/x86_64-linux-gnu/libfrr.so.0+0x383f9f) in vty_out
> May 15 16:08:14 vRR-DUT bgpd[1647]: Shadow bytes around the buggy address:
> May 15 16:08:14 vRR-DUT bgpd[1647]:   0x0c56803a49f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> May 15 16:08:14 vRR-DUT bgpd[1647]:   0x0c56803a4a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> May 15 16:08:14 vRR-DUT bgpd[1647]:   0x0c56803a4a10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> May 15 16:08:14 vRR-DUT bgpd[1647]:   0x0c56803a4a20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> May 15 16:08:14 vRR-DUT bgpd[1647]:   0x0c56803a4a30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> May 15 16:08:14 vRR-DUT bgpd[1647]: =>0x0c56803a4a40: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
> May 15 16:08:14 vRR-DUT bgpd[1647]:   0x0c56803a4a50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> May 15 16:08:14 vRR-DUT bgpd[1647]:   0x0c56803a4a60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> May 15 16:08:14 vRR-DUT bgpd[1647]:   0x0c56803a4a70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> May 15 16:08:14 vRR-DUT bgpd[1647]:   0x0c56803a4a80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> May 15 16:08:14 vRR-DUT bgpd[1647]:   0x0c56803a4a90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> May 15 16:08:14 vRR-DUT bgpd[1647]: Shadow byte legend (one shadow byte represents 8 application bytes):
> May 15 16:08:14 vRR-DUT bgpd[1647]:   Addressable:           00
> May 15 16:08:14 vRR-DUT bgpd[1647]:   Partially addressable: 01 02 03 04 05 06 07
> May 15 16:08:14 vRR-DUT bgpd[1647]:   Heap left redzone:       fa
> May 15 16:08:14 vRR-DUT bgpd[1647]:   Freed heap region:       fd
> May 15 16:08:14 vRR-DUT bgpd[1647]:   Stack left redzone:      f1
> May 15 16:08:14 vRR-DUT bgpd[1647]:   Stack mid redzone:       f2
> May 15 16:08:14 vRR-DUT bgpd[1647]:   Stack right redzone:     f3
> May 15 16:08:14 vRR-DUT bgpd[1647]:   Stack after return:      f5
> May 15 16:08:14 vRR-DUT bgpd[1647]:   Stack use after scope:   f8
> May 15 16:08:14 vRR-DUT bgpd[1647]:   Global redzone:          f9
> May 15 16:08:14 vRR-DUT bgpd[1647]:   Global init order:       f6
> May 15 16:08:14 vRR-DUT bgpd[1647]:   Poisoned by user:        f7
> May 15 16:08:14 vRR-DUT bgpd[1647]:   Container overflow:      fc
> May 15 16:08:14 vRR-DUT bgpd[1647]:   Array cookie:            ac
> May 15 16:08:14 vRR-DUT bgpd[1647]:   Intra object redzone:    bb
> May 15 16:08:14 vRR-DUT bgpd[1647]:   ASan internal:           fe
> May 15 16:08:14 vRR-DUT bgpd[1647]:   Left alloca redzone:     ca
> May 15 16:08:14 vRR-DUT bgpd[1647]:   Right alloca redzone:    cb
> May 15 16:08:14 vRR-DUT bgpd[1647]:   Shadow gap:              cc
> May 15 16:08:14 vRR-DUT bgpd[1647]: ==1647==ABORTING

The vty_out() function detects a BROKEN PIPE error during the call of
vtysh_flush() call, and closes the vty pointer. Consequently, the next
vty_out() calls may use an invalid vty pointer.

The call to vtysh_flush() has been added in a previous commit: this call
does a syncronous write for a large buffer, which triggers the error.

Propose to delay the removal of the vty pointer at the next scheduling.
Until that event, keep the vty structure at CLOSE state. The show
function will eventually detect the invalid vty status, and will
anticipate the end of the show command.

Fixes: 9112fb3 ("lib: Memory spike reduction for sh cmds at scale")
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
pguibert6WIND added a commit to pguibert6WIND/frr that referenced this pull request Jul 18, 2025
@pguibert6WIND
bgpd: fix crash when reconfiguring func-bits value in locator
e63f6ee 
The following crash happens on a BGP setup with SRv6 used, when locator
is updated with the func-bits value moving from 32 bits to 16 bits.

> FRRouting#6  0x000061582b486b5c in memcpy (__len=<optimized out>, __src=<optimized out>, __dest=<optimized out>)
>     at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
> FRRouting#7  vpn_leak_from_vrf_update (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040,
>     path_vrf=path_vrf@entry=0x6158364ef110) at bgpd/bgp_mplsvpn.c:2010
> FRRouting#8  0x000061582b48758b in vpn_leak_from_vrf_update_all (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040,
>     afi=<optimized out>) at bgpd/bgp_mplsvpn.c:2215
> FRRouting#9  0x000061582b48774d in vpn_leak_postchange (afi=afi@entry=AFI_IP, bgp_vpn=bgp_vpn@entry=0x6158364a0340,
>     bgp_vrf=bgp_vrf@entry=0x6158364c1040, direction=BGP_VPN_POLICY_DIR_TOVPN) at ./bgpd/bgp_mplsvpn.h:313
> FRRouting#10 0x000061582b489b4b in vpn_leak_postchange (bgp_vrf=0x6158364c1040, bgp_vpn=0x6158364a0340, afi=AFI_IP, direction=BGP_VPN_POLICY_DIR_TOVPN)
>     at ./bgpd/bgp_mplsvpn.h:273
> FRRouting#11 vpn_leak_postchange_all () at bgpd/bgp_mplsvpn.c:3978
> FRRouting#12 0x000061582b5219d5 in bgp_zebra_process_srv6_locator_delete (cmd=<optimized out>, zclient=<optimized out>, length=<optimized out>,
>     vrf_id=<optimized out>) at bgpd/bgp_zebra.c:3874
> FRRouting#13 0x0000766887b391ee in zclient_read (thread=<optimized out>) at lib/zclient.c:4804
> FRRouting#14 0x0000766887b2245e in event_call (thread=thread@entry=0x7ffc86531a30) at lib/event.c:2005
> FRRouting#15 0x0000766887ac2ed8 in frr_run (loop=0x615835c46fd0) at lib/libfrr.c:1252
> FRRouting#16 0x000061582b428163 in main (argc=<optimized out>, argv=0x7ffc86531cf8) at bgpd/bgp_main.c:565
> (gdb)
>

Actually, the SID allocated has been freed after the locator deleted
event. Protect this part of code by checking the availability of the
sid pointer.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
pguibert6WIND added a commit to pguibert6WIND/frr that referenced this pull request Jul 18, 2025
@pguibert6WIND
bgpd: fix crash when reconfiguring func-bits value in locator
2e002e6 
The following crash happens on a BGP setup with SRv6 used, when locator
is updated with the func-bits value moving from 32 bits to 16 bits.

> FRRouting#6  0x000061582b486b5c in memcpy (__len=<optimized out>, __src=<optimized out>, __dest=<optimized out>)
>     at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
> FRRouting#7  vpn_leak_from_vrf_update (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040,
>     path_vrf=path_vrf@entry=0x6158364ef110) at bgpd/bgp_mplsvpn.c:2010
> FRRouting#8  0x000061582b48758b in vpn_leak_from_vrf_update_all (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040,
>     afi=<optimized out>) at bgpd/bgp_mplsvpn.c:2215
> FRRouting#9  0x000061582b48774d in vpn_leak_postchange (afi=afi@entry=AFI_IP, bgp_vpn=bgp_vpn@entry=0x6158364a0340,
>     bgp_vrf=bgp_vrf@entry=0x6158364c1040, direction=BGP_VPN_POLICY_DIR_TOVPN) at ./bgpd/bgp_mplsvpn.h:313
> FRRouting#10 0x000061582b489b4b in vpn_leak_postchange (bgp_vrf=0x6158364c1040, bgp_vpn=0x6158364a0340, afi=AFI_IP, direction=BGP_VPN_POLICY_DIR_TOVPN)
>     at ./bgpd/bgp_mplsvpn.h:273
> FRRouting#11 vpn_leak_postchange_all () at bgpd/bgp_mplsvpn.c:3978
> FRRouting#12 0x000061582b5219d5 in bgp_zebra_process_srv6_locator_delete (cmd=<optimized out>, zclient=<optimized out>, length=<optimized out>,
>     vrf_id=<optimized out>) at bgpd/bgp_zebra.c:3874
> FRRouting#13 0x0000766887b391ee in zclient_read (thread=<optimized out>) at lib/zclient.c:4804
> FRRouting#14 0x0000766887b2245e in event_call (thread=thread@entry=0x7ffc86531a30) at lib/event.c:2005
> FRRouting#15 0x0000766887ac2ed8 in frr_run (loop=0x615835c46fd0) at lib/libfrr.c:1252
> FRRouting#16 0x000061582b428163 in main (argc=<optimized out>, argv=0x7ffc86531cf8) at bgpd/bgp_main.c:565
> (gdb)
>

Actually, the SID allocated has been freed after the locator deleted
event. Protect this part of code by checking the availability of the
sid pointer.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
pguibert6WIND added a commit to pguibert6WIND/frr that referenced this pull request Jul 18, 2025
@pguibert6WIND
bgpd: fix crash when reconfiguring func-bits value in locator
66e2a4c 
The following crash happens on a BGP setup with SRv6 used, when locator
is updated with the func-bits value moving from 32 bits to 16 bits.

> FRRouting#6  0x000061582b486b5c in memcpy (__len=<optimized out>, __src=<optimized out>, __dest=<optimized out>)
>     at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
> FRRouting#7  vpn_leak_from_vrf_update (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040,
>     path_vrf=path_vrf@entry=0x6158364ef110) at bgpd/bgp_mplsvpn.c:2010
> FRRouting#8  0x000061582b48758b in vpn_leak_from_vrf_update_all (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040,
>     afi=<optimized out>) at bgpd/bgp_mplsvpn.c:2215
> FRRouting#9  0x000061582b48774d in vpn_leak_postchange (afi=afi@entry=AFI_IP, bgp_vpn=bgp_vpn@entry=0x6158364a0340,
>     bgp_vrf=bgp_vrf@entry=0x6158364c1040, direction=BGP_VPN_POLICY_DIR_TOVPN) at ./bgpd/bgp_mplsvpn.h:313
> FRRouting#10 0x000061582b489b4b in vpn_leak_postchange (bgp_vrf=0x6158364c1040, bgp_vpn=0x6158364a0340, afi=AFI_IP, direction=BGP_VPN_POLICY_DIR_TOVPN)
>     at ./bgpd/bgp_mplsvpn.h:273
> FRRouting#11 vpn_leak_postchange_all () at bgpd/bgp_mplsvpn.c:3978
> FRRouting#12 0x000061582b5219d5 in bgp_zebra_process_srv6_locator_delete (cmd=<optimized out>, zclient=<optimized out>, length=<optimized out>,
>     vrf_id=<optimized out>) at bgpd/bgp_zebra.c:3874
> FRRouting#13 0x0000766887b391ee in zclient_read (thread=<optimized out>) at lib/zclient.c:4804
> FRRouting#14 0x0000766887b2245e in event_call (thread=thread@entry=0x7ffc86531a30) at lib/event.c:2005
> FRRouting#15 0x0000766887ac2ed8 in frr_run (loop=0x615835c46fd0) at lib/libfrr.c:1252
> FRRouting#16 0x000061582b428163 in main (argc=<optimized out>, argv=0x7ffc86531cf8) at bgpd/bgp_main.c:565
> (gdb)
>

Actually, the SID allocated has been freed after the locator deleted
event. Protect this part of code by checking the availability of the
sid pointer.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
raja-rajasekar pushed a commit to raja-rajasekar/frr that referenced this pull request Jul 21, 2025
@vivek-cumulus @chiragshah6
bgpd: Ignore peer GR commands that are effectively not operable
dbb1937 
The code used to treat a repeated GR configuration on a peer or some
other inappropriate command (e.g., trying to remove 'helper' configuration
when it is not present) as errors. Instead, just ignore these. This is
more in line with other behavior.

Signed-off-by: Vivek Venkatraman <vivek@nvidia.com>

Ticket: #2736244, #2736249
Testing Done:
1. Manual testing - documented in the RM tickets
2. Precommit - user job FRRouting#15 - 1 failure seen is existing failure
raja-rajasekar pushed a commit to raja-rajasekar/frr that referenced this pull request Jul 21, 2025
@louis-6wind @raja-rajasekar
zebra: fix table heap-after-free crash
4212cfa 
Fix a heap-after-free that causes zebra to crash even without
address-sanitizer. To reproduce:

> echo "100 my_table" | tee -a /etc/iproute2/rt_tables
> ip route add blackhole default table 100
> ip route show table 100
> ip l add red type vrf table 100
> ip l del red
> ip route del blackhole default table 100

Zebra manages routing tables for all existing Linux RT tables,
regardless of whether they are assigned to a VRF interface. When a table
is not assigned to any VRF, zebra arbitrarily assigns it to the default
VRF, even though this is not strictly accurate (the code expects this
behavior).

When an RT table is created after a VRF, zebra correctly assigns the
table to the VRF. However, if a VRF interface is assigned to an existing
RT table, zebra does not update the table owner, which remains as the
default VRF. As a result, existing routing entries remain under the
default VRF, while new entries are correctly assigned to the VRF. The
VRF mismatch is unexpected in the code and creates crashes and memory
related issues.

Furthermore, Linux does not automatically delete RT tables when they are
unassigned from a VRF. It is incorrect to delete these tables from zebra.

Instead, at VRF disabling, do not release the table but reassign it to
the default VRF. At VRF enabling, change the table owner back to the
appropriate VRF.

> ==2866266==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000154f54 at pc 0x7fa32474b83f bp 0x7ffe94f67d90 sp 0x7ffe94f67d88
> READ of size 1 at 0x606000154f54 thread T0
>     #0 0x7fa32474b83e in rn_hash_node_const_find lib/table.c:28
>     FRRouting#1 0x7fa32474bab1 in rn_hash_node_find lib/table.c:28
>     FRRouting#2 0x7fa32474d783 in route_node_get lib/table.c:283
>     FRRouting#3 0x7fa3247328dd in srcdest_rnode_get lib/srcdest_table.c:231
>     FRRouting#4 0x55b0e4fa8da4 in rib_find_rn_from_ctx zebra/zebra_rib.c:1957
>     FRRouting#5 0x55b0e4fa8e31 in rib_process_result zebra/zebra_rib.c:1988
>     FRRouting#6 0x55b0e4fb9d64 in rib_process_dplane_results zebra/zebra_rib.c:4894
>     FRRouting#7 0x7fa32476689c in event_call lib/event.c:1996
>     FRRouting#8 0x7fa32463b7b2 in frr_run lib/libfrr.c:1232
>     FRRouting#9 0x55b0e4e6c32a in main zebra/main.c:526
>     FRRouting#10 0x7fa32424fd09 in __libc_start_main ../csu/libc-start.c:308
>     FRRouting#11 0x55b0e4e2d649 in _start (/usr/lib/frr/zebra+0x1a1649)
>
> 0x606000154f54 is located 20 bytes inside of 56-byte region [0x606000154f40,0x606000154f78)
> freed by thread T0 here:
>     #0 0x7fa324ca9b6f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:123
>     FRRouting#1 0x7fa324668d8f in qfree lib/memory.c:130
>     FRRouting#2 0x7fa32474c421 in route_table_free lib/table.c:126
>     FRRouting#3 0x7fa32474bf96 in route_table_finish lib/table.c:46
>     FRRouting#4 0x55b0e4fbca3a in zebra_router_free_table zebra/zebra_router.c:191
>     FRRouting#5 0x55b0e4fbccea in zebra_router_release_table zebra/zebra_router.c:214
>     FRRouting#6 0x55b0e4fd428e in zebra_vrf_disable zebra/zebra_vrf.c:219
>     FRRouting#7 0x7fa32476fabf in vrf_disable lib/vrf.c:326
>     FRRouting#8 0x7fa32476f5d4 in vrf_delete lib/vrf.c:231
>     FRRouting#9 0x55b0e4e4ad36 in interface_vrf_change zebra/interface.c:1478
>     FRRouting#10 0x55b0e4e4d5d2 in zebra_if_dplane_ifp_handling zebra/interface.c:1949
>     FRRouting#11 0x55b0e4e4fb89 in zebra_if_dplane_result zebra/interface.c:2268
>     FRRouting#12 0x55b0e4fb9f26 in rib_process_dplane_results zebra/zebra_rib.c:4954
>     FRRouting#13 0x7fa32476689c in event_call lib/event.c:1996
>     FRRouting#14 0x7fa32463b7b2 in frr_run lib/libfrr.c:1232
>     FRRouting#15 0x55b0e4e6c32a in main zebra/main.c:526
>     FRRouting#16 0x7fa32424fd09 in __libc_start_main ../csu/libc-start.c:308
>
> previously allocated by thread T0 here:
>     #0 0x7fa324caa037 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
>     FRRouting#1 0x7fa324668c4d in qcalloc lib/memory.c:105
>     FRRouting#2 0x7fa32474bf33 in route_table_init_with_delegate lib/table.c:38
>     FRRouting#3 0x7fa32474e73c in route_table_init lib/table.c:512
>     FRRouting#4 0x55b0e4fbc353 in zebra_router_get_table zebra/zebra_router.c:137
>     FRRouting#5 0x55b0e4fd4da0 in zebra_vrf_table_create zebra/zebra_vrf.c:358
>     FRRouting#6 0x55b0e4fd3d30 in zebra_vrf_enable zebra/zebra_vrf.c:140
>     FRRouting#7 0x7fa32476f9b2 in vrf_enable lib/vrf.c:286
>     FRRouting#8 0x55b0e4e4af76 in interface_vrf_change zebra/interface.c:1533
>     FRRouting#9 0x55b0e4e4d612 in zebra_if_dplane_ifp_handling zebra/interface.c:1968
>     FRRouting#10 0x55b0e4e4fb89 in zebra_if_dplane_result zebra/interface.c:2268
>     FRRouting#11 0x55b0e4fb9f26 in rib_process_dplane_results zebra/zebra_rib.c:4954
>     FRRouting#12 0x7fa32476689c in event_call lib/event.c:1996
>     FRRouting#13 0x7fa32463b7b2 in frr_run lib/libfrr.c:1232
>     FRRouting#14 0x55b0e4e6c32a in main zebra/main.c:526
>     FRRouting#15 0x7fa32424fd09 in __libc_start_main ../csu/libc-start.c:308

Ticket :#4279110

Fixes: d8612e6 ("zebra: Track tables allocated by vrf and cleanup")
Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>
raja-rajasekar added a commit to raja-rajasekar/frr that referenced this pull request Jul 21, 2025
@raja-rajasekar
Merge branch 'rajasekarr/zebra_core_4279110' into 'dev'
f7dd712 
zebra: fix table heap-after-free crash
Fix a heap-after-free that causes zebra to crash even without
address-sanitizer. To reproduce:

> echo "100 my_table" | tee -a /etc/iproute2/rt_tables
> ip route add blackhole default table 100
> ip route show table 100
> ip l add red type vrf table 100
> ip l del red
> ip route del blackhole default table 100

Zebra manages routing tables for all existing Linux RT tables,
regardless of whether they are assigned to a VRF interface. When a table
is not assigned to any VRF, zebra arbitrarily assigns it to the default
VRF, even though this is not strictly accurate (the code expects this
behavior).

When an RT table is created after a VRF, zebra correctly assigns the
table to the VRF. However, if a VRF interface is assigned to an existing
RT table, zebra does not update the table owner, which remains as the
default VRF. As a result, existing routing entries remain under the
default VRF, while new entries are correctly assigned to the VRF. The
VRF mismatch is unexpected in the code and creates crashes and memory
related issues.

Furthermore, Linux does not automatically delete RT tables when they are
unassigned from a VRF. It is incorrect to delete these tables from zebra.

Instead, at VRF disabling, do not release the table but reassign it to
the default VRF. At VRF enabling, change the table owner back to the
appropriate VRF.

```
> ==2866266==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000154f54 at pc 0x7fa32474b83f bp 0x7ffe94f67d90 sp 0x7ffe94f67d88
> READ of size 1 at 0x606000154f54 thread T0
>     #0 0x7fa32474b83e in rn_hash_node_const_find lib/table.c:28
>     FRRouting#1 0x7fa32474bab1 in rn_hash_node_find lib/table.c:28
>     FRRouting#2 0x7fa32474d783 in route_node_get lib/table.c:283
>     FRRouting#3 0x7fa3247328dd in srcdest_rnode_get lib/srcdest_table.c:231
>     FRRouting#4 0x55b0e4fa8da4 in rib_find_rn_from_ctx zebra/zebra_rib.c:1957
>     FRRouting#5 0x55b0e4fa8e31 in rib_process_result zebra/zebra_rib.c:1988
>     FRRouting#6 0x55b0e4fb9d64 in rib_process_dplane_results zebra/zebra_rib.c:4894
>     FRRouting#7 0x7fa32476689c in event_call lib/event.c:1996
>     FRRouting#8 0x7fa32463b7b2 in frr_run lib/libfrr.c:1232
>     FRRouting#9 0x55b0e4e6c32a in main zebra/main.c:526
>     FRRouting#10 0x7fa32424fd09 in __libc_start_main ../csu/libc-start.c:308
>     FRRouting#11 0x55b0e4e2d649 in _start (/usr/lib/frr/zebra+0x1a1649)
>
> 0x606000154f54 is located 20 bytes inside of 56-byte region [0x606000154f40,0x606000154f78)
> freed by thread T0 here:
>     #0 0x7fa324ca9b6f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:123
>     FRRouting#1 0x7fa324668d8f in qfree lib/memory.c:130
>     FRRouting#2 0x7fa32474c421 in route_table_free lib/table.c:126
>     FRRouting#3 0x7fa32474bf96 in route_table_finish lib/table.c:46
>     FRRouting#4 0x55b0e4fbca3a in zebra_router_free_table zebra/zebra_router.c:191
>     FRRouting#5 0x55b0e4fbccea in zebra_router_release_table zebra/zebra_router.c:214
>     FRRouting#6 0x55b0e4fd428e in zebra_vrf_disable zebra/zebra_vrf.c:219
>     FRRouting#7 0x7fa32476fabf in vrf_disable lib/vrf.c:326
>     FRRouting#8 0x7fa32476f5d4 in vrf_delete lib/vrf.c:231
>     FRRouting#9 0x55b0e4e4ad36 in interface_vrf_change zebra/interface.c:1478
>     FRRouting#10 0x55b0e4e4d5d2 in zebra_if_dplane_ifp_handling zebra/interface.c:1949
>     FRRouting#11 0x55b0e4e4fb89 in zebra_if_dplane_result zebra/interface.c:2268
>     FRRouting#12 0x55b0e4fb9f26 in rib_process_dplane_results zebra/zebra_rib.c:4954
>     FRRouting#13 0x7fa32476689c in event_call lib/event.c:1996
>     FRRouting#14 0x7fa32463b7b2 in frr_run lib/libfrr.c:1232
>     FRRouting#15 0x55b0e4e6c32a in main zebra/main.c:526
>     FRRouting#16 0x7fa32424fd09 in __libc_start_main ../csu/libc-start.c:308
>
> previously allocated by thread T0 here:
>     #0 0x7fa324caa037 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
>     FRRouting#1 0x7fa324668c4d in qcalloc lib/memory.c:105
>     FRRouting#2 0x7fa32474bf33 in route_table_init_with_delegate lib/table.c:38
>     FRRouting#3 0x7fa32474e73c in route_table_init lib/table.c:512
>     FRRouting#4 0x55b0e4fbc353 in zebra_router_get_table zebra/zebra_router.c:137
>     FRRouting#5 0x55b0e4fd4da0 in zebra_vrf_table_create zebra/zebra_vrf.c:358
>     FRRouting#6 0x55b0e4fd3d30 in zebra_vrf_enable zebra/zebra_vrf.c:140
>     FRRouting#7 0x7fa32476f9b2 in vrf_enable lib/vrf.c:286
>     FRRouting#8 0x55b0e4e4af76 in interface_vrf_change zebra/interface.c:1533
>     FRRouting#9 0x55b0e4e4d612 in zebra_if_dplane_ifp_handling zebra/interface.c:1968
>     FRRouting#10 0x55b0e4e4fb89 in zebra_if_dplane_result zebra/interface.c:2268
>     FRRouting#11 0x55b0e4fb9f26 in rib_process_dplane_results zebra/zebra_rib.c:4954
>     FRRouting#12 0x7fa32476689c in event_call lib/event.c:1996
>     FRRouting#13 0x7fa32463b7b2 in frr_run lib/libfrr.c:1232
>     FRRouting#14 0x55b0e4e6c32a in main zebra/main.c:526
>     FRRouting#15 0x7fa32424fd09 in __libc_start_main ../csu/libc-start.c:308
```

Ticket :#4279110

Fixes: d8612e6 ("zebra: Track tables allocated by vrf and cleanup")
Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>

 #

See merge request nbu-sws/CL/FRR/frr!1121
jpetersonssr pushed a commit to jpetersonssr/frr that referenced this pull request Jul 24, 2025
@robertkebler
Merge pull request FRRouting#15 from Juniper-SSN/rkebler/I95-49246-ii…
04ca1cb 
…f-for-svr

remove the code that attempted to fix some of the compilation warnings.
kniteli pushed a commit to kniteli/frr that referenced this pull request Jul 24, 2025
@louis-6wind
zebra: fix heap-after-free on shutdown in netns mode
975c7f5 
Seen with bfd_vrf_topo1, and bgp_evpn_rt5 on Ubuntu 22.04 hwe.

Do not call ns_delete() from zebra_vrf_delete(), which calls
zebra_ns_delete().

- If a netns is removed from the system, vrf_delete()->zebra_vrf_delete()
  is called before calling ns_delete() (see zebra_ns_notify.c).
- If zebra is terminating, zebra_ns_final_shutdown() will call
  zebra_vrf_delete().

> ==616172==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160000ae3a4 at pc 0x556cdc178d8f bp 0x7ffe4f41ace0 sp 0x7ffe4f41acd0
> READ of size 4 at 0x6160000ae3a4 thread T0
>     #0 0x556cdc178d8e in ctx_info_from_zns zebra/zebra_dplane.c:3394
>     FRRouting#1 0x556cdc178f55 in dplane_ctx_ns_init zebra/zebra_dplane.c:3410
>     FRRouting#2 0x556cdc17b829 in dplane_ctx_nexthop_init zebra/zebra_dplane.c:3759
>     FRRouting#3 0x556cdc18095f in dplane_nexthop_update_internal zebra/zebra_dplane.c:4566
>     FRRouting#4 0x556cdc1813f1 in dplane_nexthop_delete zebra/zebra_dplane.c:4793
>     FRRouting#5 0x556cdc229234 in zebra_nhg_uninstall_kernel zebra/zebra_nhg.c:3484
>     FRRouting#6 0x556cdc21f8fe in zebra_nhg_decrement_ref zebra/zebra_nhg.c:1804
>     FRRouting#7 0x556cdc24b05a in route_entry_update_nhe zebra/zebra_rib.c:456
>     FRRouting#8 0x556cdc255083 in rib_re_nhg_free zebra/zebra_rib.c:2633
>     FRRouting#9 0x556cdc25e3bb in rib_unlink zebra/zebra_rib.c:4049
>     FRRouting#10 0x556cdc24c9b0 in zebra_rtable_node_cleanup zebra/zebra_rib.c:903
>     FRRouting#11 0x7fb25c173144 in route_node_free lib/table.c:75
>     FRRouting#12 0x7fb25c17337f in route_table_free lib/table.c:111
>     FRRouting#13 0x7fb25c172fe4 in route_table_finish lib/table.c:46
>     FRRouting#14 0x556cdc266f62 in zebra_router_free_table zebra/zebra_router.c:191
>     FRRouting#15 0x556cdc2673ef in zebra_router_terminate zebra/zebra_router.c:243
>     FRRouting#16 0x556cdc10638b in zebra_finalize zebra/main.c:240
>     FRRouting#17 0x7fb25c18e012 in event_call lib/event.c:2019
>     FRRouting#18 0x7fb25c04afc6 in frr_run lib/libfrr.c:1247
>     FRRouting#19 0x556cdc106deb in main zebra/main.c:543
>     FRRouting#20 0x7fb25ba29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
>     FRRouting#21 0x7fb25ba29e3f in __libc_start_main_impl ../csu/libc-start.c:392
>     FRRouting#22 0x556cdc0c7ed4 in _start (/usr/lib/frr/zebra+0x192ed4)
>
> 0x6160000ae3a4 is located 36 bytes inside of 592-byte region [0x6160000ae380,0x6160000ae5d0)
> freed by thread T0 here:
>     #0 0x7fb25c6b4537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
>     FRRouting#1 0x7fb25c0790e3 in qfree lib/memory.c:131
>     FRRouting#2 0x556cdc22d9c9 in zebra_ns_delete zebra/zebra_ns.c:261
>     FRRouting#3 0x7fb25c0ac400 in ns_delete lib/netns_linux.c:319
>     FRRouting#4 0x556cdc28026a in zebra_vrf_delete zebra/zebra_vrf.c:343
>     FRRouting#5 0x7fb25c197443 in vrf_delete lib/vrf.c:282
>     FRRouting#6 0x7fb25c1987e8 in vrf_terminate_single lib/vrf.c:601
>     FRRouting#7 0x7fb25c197a7a in vrf_iterate lib/vrf.c:394
>     FRRouting#8 0x7fb25c198834 in vrf_terminate lib/vrf.c:609
>     FRRouting#9 0x556cdc106345 in zebra_finalize zebra/main.c:223
>     FRRouting#10 0x7fb25c18e012 in event_call lib/event.c:2019
>     FRRouting#11 0x7fb25c04afc6 in frr_run lib/libfrr.c:1247
>     FRRouting#12 0x556cdc106deb in main zebra/main.c:543
>     FRRouting#13 0x7fb25ba29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
>
> previously allocated by thread T0 here:
>     #0 0x7fb25c6b4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
>     FRRouting#1 0x7fb25c078f91 in qcalloc lib/memory.c:106
>     FRRouting#2 0x556cdc22d6a1 in zebra_ns_new zebra/zebra_ns.c:231
>     FRRouting#3 0x556cdc22e30b in zebra_ns_init zebra/zebra_ns.c:429
>     FRRouting#4 0x556cdc106cec in main zebra/main.c:480
>     FRRouting#5 0x7fb25ba29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
>
> SUMMARY: AddressSanitizer: heap-use-after-free zebra/zebra_dplane.c:3394 in ctx_info_from_zns

Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
pguibert6WIND added a commit to pguibert6WIND/frr that referenced this pull request Jul 31, 2025
@pguibert6WIND
bgpd: fix crash when reconfiguring func-bits value in locator
e5f45cc 
The following crash happens on a BGP setup with SRv6 used, when locator
is updated with the func-bits value moving from 32 bits to 16 bits.

> FRRouting#6  0x000061582b486b5c in memcpy (__len=<optimized out>, __src=<optimized out>, __dest=<optimized out>)
>     at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
> FRRouting#7  vpn_leak_from_vrf_update (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040,
>     path_vrf=path_vrf@entry=0x6158364ef110) at bgpd/bgp_mplsvpn.c:2010
> FRRouting#8  0x000061582b48758b in vpn_leak_from_vrf_update_all (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040,
>     afi=<optimized out>) at bgpd/bgp_mplsvpn.c:2215
> FRRouting#9  0x000061582b48774d in vpn_leak_postchange (afi=afi@entry=AFI_IP, bgp_vpn=bgp_vpn@entry=0x6158364a0340,
>     bgp_vrf=bgp_vrf@entry=0x6158364c1040, direction=BGP_VPN_POLICY_DIR_TOVPN) at ./bgpd/bgp_mplsvpn.h:313
> FRRouting#10 0x000061582b489b4b in vpn_leak_postchange (bgp_vrf=0x6158364c1040, bgp_vpn=0x6158364a0340, afi=AFI_IP, direction=BGP_VPN_POLICY_DIR_TOVPN)
>     at ./bgpd/bgp_mplsvpn.h:273
> FRRouting#11 vpn_leak_postchange_all () at bgpd/bgp_mplsvpn.c:3978
> FRRouting#12 0x000061582b5219d5 in bgp_zebra_process_srv6_locator_delete (cmd=<optimized out>, zclient=<optimized out>, length=<optimized out>,
>     vrf_id=<optimized out>) at bgpd/bgp_zebra.c:3874
> FRRouting#13 0x0000766887b391ee in zclient_read (thread=<optimized out>) at lib/zclient.c:4804
> FRRouting#14 0x0000766887b2245e in event_call (thread=thread@entry=0x7ffc86531a30) at lib/event.c:2005
> FRRouting#15 0x0000766887ac2ed8 in frr_run (loop=0x615835c46fd0) at lib/libfrr.c:1252
> FRRouting#16 0x000061582b428163 in main (argc=<optimized out>, argv=0x7ffc86531cf8) at bgpd/bgp_main.c:565
> (gdb)
>

Actually, the SID allocated has been freed after the locator deleted
event. Protect this part of code by checking the availability of the
sid pointer.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
Pdoijode pushed a commit to Pdoijode/frr that referenced this pull request Aug 4, 2025
@vivek-cumulus @Pdoijode
bgpd: Ignore peer GR commands that are effectively not operable
89fc881 
The code used to treat a repeated GR configuration on a peer or some
other inappropriate command (e.g., trying to remove 'helper' configuration
when it is not present) as errors. Instead, just ignore these. This is
more in line with other behavior.

Signed-off-by: Vivek Venkatraman <vivek@nvidia.com>

Ticket: #2736244, #2736249
Testing Done:
1. Manual testing - documented in the RM tickets
2. Precommit - user job FRRouting#15 - 1 failure seen is existing failure
Pdoijode pushed a commit to Pdoijode/frr that referenced this pull request Aug 7, 2025
@vivek-cumulus @Pdoijode
bgpd: Ignore peer GR commands that are effectively not operable
698e289 
The code used to treat a repeated GR configuration on a peer or some
other inappropriate command (e.g., trying to remove 'helper' configuration
when it is not present) as errors. Instead, just ignore these. This is
more in line with other behavior.

Signed-off-by: Vivek Venkatraman <vivek@nvidia.com>

Ticket: #2736244, #2736249
Testing Done:
1. Manual testing - documented in the RM tickets
2. Precommit - user job FRRouting#15 - 1 failure seen is existing failure
pguibert6WIND added a commit to pguibert6WIND/frr that referenced this pull request Aug 11, 2025
@pguibert6WIND
bgpd: fix crash when reconfiguring func-bits value in locator
9a5fb97 
The following crash happens on a BGP setup with SRv6 used, when locator
is updated with the func-bits value moving from 32 bits to 16 bits.

> FRRouting#6  0x000061582b486b5c in memcpy (__len=<optimized out>, __src=<optimized out>, __dest=<optimized out>)
>     at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
> FRRouting#7  vpn_leak_from_vrf_update (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040,
>     path_vrf=path_vrf@entry=0x6158364ef110) at bgpd/bgp_mplsvpn.c:2010
> FRRouting#8  0x000061582b48758b in vpn_leak_from_vrf_update_all (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040,
>     afi=<optimized out>) at bgpd/bgp_mplsvpn.c:2215
> FRRouting#9  0x000061582b48774d in vpn_leak_postchange (afi=afi@entry=AFI_IP, bgp_vpn=bgp_vpn@entry=0x6158364a0340,
>     bgp_vrf=bgp_vrf@entry=0x6158364c1040, direction=BGP_VPN_POLICY_DIR_TOVPN) at ./bgpd/bgp_mplsvpn.h:313
> FRRouting#10 0x000061582b489b4b in vpn_leak_postchange (bgp_vrf=0x6158364c1040, bgp_vpn=0x6158364a0340, afi=AFI_IP, direction=BGP_VPN_POLICY_DIR_TOVPN)
>     at ./bgpd/bgp_mplsvpn.h:273
> FRRouting#11 vpn_leak_postchange_all () at bgpd/bgp_mplsvpn.c:3978
> FRRouting#12 0x000061582b5219d5 in bgp_zebra_process_srv6_locator_delete (cmd=<optimized out>, zclient=<optimized out>, length=<optimized out>,
>     vrf_id=<optimized out>) at bgpd/bgp_zebra.c:3874
> FRRouting#13 0x0000766887b391ee in zclient_read (thread=<optimized out>) at lib/zclient.c:4804
> FRRouting#14 0x0000766887b2245e in event_call (thread=thread@entry=0x7ffc86531a30) at lib/event.c:2005
> FRRouting#15 0x0000766887ac2ed8 in frr_run (loop=0x615835c46fd0) at lib/libfrr.c:1252
> FRRouting#16 0x000061582b428163 in main (argc=<optimized out>, argv=0x7ffc86531cf8) at bgpd/bgp_main.c:565
> (gdb)
>

Actually, the SID allocated has been freed after the locator deleted
event. Protect this part of code by checking the availability of the
sid pointer.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
pguibert6WIND pushed a commit to pguibert6WIND/frr that referenced this pull request Aug 12, 2025
@dmytroshytyi-6WIND @pguibert6WIND
bgpd: fix srv6 align the sid_func with wlib array boundaries
7c24a4c 
The topotest bgp_srv6_sid_explicit generates the crash dump:

ERROR: SEGV on unknown address 0x5110002dba30 (pc 0x55a58a813379 bp 0x7ffd2cc8ec50 sp 0x7ffd2cc8ec00 T0)
The signal is caused by a READ memory access.
    #0 0x55a58a813379 in alloc_srv6_sid_func_explicit zebra/zebra_srv6.c:1264
    FRRouting#1 0x55a58a815138 in get_srv6_sid_explicit zebra/zebra_srv6.c:1611
    FRRouting#2 0x55a58a8166bb in get_srv6_sid zebra/zebra_srv6.c:1807
    FRRouting#3 0x55a58a8191ef in srv6_manager_get_sid_internal zebra/zebra_srv6.c:2314
    FRRouting#4 0x55a58a80c0aa in hook_call_srv6_manager_get_sid zebra/zebra_srv6.c:67
    FRRouting#5 0x55a58a80c671 in srv6_manager_get_sid_call zebra/zebra_srv6.c:115
    FRRouting#6 0x55a58a78e956 in zread_srv6_manager_get_srv6_sid zebra/zapi_msg.c:3245
    FRRouting#7 0x55a58a78f1d8 in zread_srv6_manager_request zebra/zapi_msg.c:3313
    FRRouting#8 0x55a58a799321 in zserv_handle_commands zebra/zapi_msg.c:4425
    FRRouting#9 0x55a58a92473c in zserv_process_messages zebra/zserv.c:521
    FRRouting#10 0x781c0f978970 in event_call lib/event.c:2011
    FRRouting#11 0x781c0f843d11 in frr_run lib/libfrr.c:1219
    FRRouting#12 0x55a58a73079d in main zebra/main.c:550
    FRRouting#13 0x781c0f22a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    FRRouting#14 0x781c0f22a28a in __libc_start_main_impl ../csu/libc-start.c:360
    FRRouting#15 0x55a58a6ec2b4 in _start (/usr/lib/frr/zebra+0x1d02b4)

Fixes: 4e4588fa8f ("zebra: Add functions to alloc/release SRv6 SIDs")

Signed-off-by: Dmytro Shytyi <dmytro.shytyi@6wind.com>
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
pguibert6WIND added a commit to pguibert6WIND/frr that referenced this pull request Aug 12, 2025
@pguibert6WIND
bgpd: fix crash when reconfiguring func-bits value in locator
c3b84bc 
The following crash happens on a BGP setup with SRv6 used, when locator
is updated with the func-bits value moving from 32 bits to 16 bits.

> FRRouting#6  0x000061582b486b5c in memcpy (__len=<optimized out>, __src=<optimized out>, __dest=<optimized out>)
>     at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
> FRRouting#7  vpn_leak_from_vrf_update (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040,
>     path_vrf=path_vrf@entry=0x6158364ef110) at bgpd/bgp_mplsvpn.c:2010
> FRRouting#8  0x000061582b48758b in vpn_leak_from_vrf_update_all (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040,
>     afi=<optimized out>) at bgpd/bgp_mplsvpn.c:2215
> FRRouting#9  0x000061582b48774d in vpn_leak_postchange (afi=afi@entry=AFI_IP, bgp_vpn=bgp_vpn@entry=0x6158364a0340,
>     bgp_vrf=bgp_vrf@entry=0x6158364c1040, direction=BGP_VPN_POLICY_DIR_TOVPN) at ./bgpd/bgp_mplsvpn.h:313
> FRRouting#10 0x000061582b489b4b in vpn_leak_postchange (bgp_vrf=0x6158364c1040, bgp_vpn=0x6158364a0340, afi=AFI_IP, direction=BGP_VPN_POLICY_DIR_TOVPN)
>     at ./bgpd/bgp_mplsvpn.h:273
> FRRouting#11 vpn_leak_postchange_all () at bgpd/bgp_mplsvpn.c:3978
> FRRouting#12 0x000061582b5219d5 in bgp_zebra_process_srv6_locator_delete (cmd=<optimized out>, zclient=<optimized out>, length=<optimized out>,
>     vrf_id=<optimized out>) at bgpd/bgp_zebra.c:3874
> FRRouting#13 0x0000766887b391ee in zclient_read (thread=<optimized out>) at lib/zclient.c:4804
> FRRouting#14 0x0000766887b2245e in event_call (thread=thread@entry=0x7ffc86531a30) at lib/event.c:2005
> FRRouting#15 0x0000766887ac2ed8 in frr_run (loop=0x615835c46fd0) at lib/libfrr.c:1252
> FRRouting#16 0x000061582b428163 in main (argc=<optimized out>, argv=0x7ffc86531cf8) at bgpd/bgp_main.c:565
> (gdb)
>

Actually, the SID allocated has been freed after the locator deleted
event. Protect this part of code by checking the availability of the
sid pointer.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
pguibert6WIND pushed a commit to pguibert6WIND/frr that referenced this pull request Aug 12, 2025
@dmytroshytyi-6WIND @pguibert6WIND
bgpd: fix srv6 align the sid_func with wlib array boundaries
5b9e619 
The topotest bgp_srv6_sid_explicit generates the crash dump:

ERROR: SEGV on unknown address 0x5110002dba30 (pc 0x55a58a813379 bp 0x7ffd2cc8ec50 sp 0x7ffd2cc8ec00 T0)
The signal is caused by a READ memory access.
    #0 0x55a58a813379 in alloc_srv6_sid_func_explicit zebra/zebra_srv6.c:1264
    FRRouting#1 0x55a58a815138 in get_srv6_sid_explicit zebra/zebra_srv6.c:1611
    FRRouting#2 0x55a58a8166bb in get_srv6_sid zebra/zebra_srv6.c:1807
    FRRouting#3 0x55a58a8191ef in srv6_manager_get_sid_internal zebra/zebra_srv6.c:2314
    FRRouting#4 0x55a58a80c0aa in hook_call_srv6_manager_get_sid zebra/zebra_srv6.c:67
    FRRouting#5 0x55a58a80c671 in srv6_manager_get_sid_call zebra/zebra_srv6.c:115
    FRRouting#6 0x55a58a78e956 in zread_srv6_manager_get_srv6_sid zebra/zapi_msg.c:3245
    FRRouting#7 0x55a58a78f1d8 in zread_srv6_manager_request zebra/zapi_msg.c:3313
    FRRouting#8 0x55a58a799321 in zserv_handle_commands zebra/zapi_msg.c:4425
    FRRouting#9 0x55a58a92473c in zserv_process_messages zebra/zserv.c:521
    FRRouting#10 0x781c0f978970 in event_call lib/event.c:2011
    FRRouting#11 0x781c0f843d11 in frr_run lib/libfrr.c:1219
    FRRouting#12 0x55a58a73079d in main zebra/main.c:550
    FRRouting#13 0x781c0f22a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    FRRouting#14 0x781c0f22a28a in __libc_start_main_impl ../csu/libc-start.c:360
    FRRouting#15 0x55a58a6ec2b4 in _start (/usr/lib/frr/zebra+0x1d02b4)

Fixes: 4e4588fa8f ("zebra: Add functions to alloc/release SRv6 SIDs")

Signed-off-by: Dmytro Shytyi <dmytro.shytyi@6wind.com>
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
pguibert6WIND pushed a commit to pguibert6WIND/frr that referenced this pull request Aug 12, 2025
@dmytroshytyi-6WIND @pguibert6WIND
bgpd: fix srv6 align the sid_func with wlib array boundaries
35d5600 
The topotest bgp_srv6_sid_explicit generates the crash dump:

ERROR: SEGV on unknown address 0x5110002dba30 (pc 0x55a58a813379 bp 0x7ffd2cc8ec50 sp 0x7ffd2cc8ec00 T0)
The signal is caused by a READ memory access.
    #0 0x55a58a813379 in alloc_srv6_sid_func_explicit zebra/zebra_srv6.c:1264
    FRRouting#1 0x55a58a815138 in get_srv6_sid_explicit zebra/zebra_srv6.c:1611
    FRRouting#2 0x55a58a8166bb in get_srv6_sid zebra/zebra_srv6.c:1807
    FRRouting#3 0x55a58a8191ef in srv6_manager_get_sid_internal zebra/zebra_srv6.c:2314
    FRRouting#4 0x55a58a80c0aa in hook_call_srv6_manager_get_sid zebra/zebra_srv6.c:67
    FRRouting#5 0x55a58a80c671 in srv6_manager_get_sid_call zebra/zebra_srv6.c:115
    FRRouting#6 0x55a58a78e956 in zread_srv6_manager_get_srv6_sid zebra/zapi_msg.c:3245
    FRRouting#7 0x55a58a78f1d8 in zread_srv6_manager_request zebra/zapi_msg.c:3313
    FRRouting#8 0x55a58a799321 in zserv_handle_commands zebra/zapi_msg.c:4425
    FRRouting#9 0x55a58a92473c in zserv_process_messages zebra/zserv.c:521
    FRRouting#10 0x781c0f978970 in event_call lib/event.c:2011
    FRRouting#11 0x781c0f843d11 in frr_run lib/libfrr.c:1219
    FRRouting#12 0x55a58a73079d in main zebra/main.c:550
    FRRouting#13 0x781c0f22a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    FRRouting#14 0x781c0f22a28a in __libc_start_main_impl ../csu/libc-start.c:360
    FRRouting#15 0x55a58a6ec2b4 in _start (/usr/lib/frr/zebra+0x1d02b4)

Fixes: 4e4588fa8f ("zebra: Add functions to alloc/release SRv6 SIDs")

Signed-off-by: Dmytro Shytyi <dmytro.shytyi@6wind.com>
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
Pdoijode pushed a commit to Pdoijode/frr that referenced this pull request Aug 13, 2025
@vivek-cumulus @Pdoijode
bgpd: Ignore peer GR commands that are effectively not operable
db9013c 
The code used to treat a repeated GR configuration on a peer or some
other inappropriate command (e.g., trying to remove 'helper' configuration
when it is not present) as errors. Instead, just ignore these. This is
more in line with other behavior.

Signed-off-by: Vivek Venkatraman <vivek@nvidia.com>

Ticket: #2736244, #2736249
Testing Done:
1. Manual testing - documented in the RM tickets
2. Precommit - user job FRRouting#15 - 1 failure seen is existing failure
Pdoijode pushed a commit to Pdoijode/frr that referenced this pull request Aug 15, 2025
@vivek-cumulus @Pdoijode
bgpd: Ignore peer GR commands that are effectively not operable
18c3e57 
The code used to treat a repeated GR configuration on a peer or some
other inappropriate command (e.g., trying to remove 'helper' configuration
when it is not present) as errors. Instead, just ignore these. This is
more in line with other behavior.

Signed-off-by: Vivek Venkatraman <vivek@nvidia.com>

Ticket: #2736244, #2736249
Testing Done:
1. Manual testing - documented in the RM tickets
2. Precommit - user job FRRouting#15 - 1 failure seen is existing failure
Pdoijode pushed a commit to Pdoijode/frr that referenced this pull request Aug 18, 2025
@vivek-cumulus @Pdoijode
bgpd: Ignore peer GR commands that are effectively not operable
e64bd0e 
The code used to treat a repeated GR configuration on a peer or some
other inappropriate command (e.g., trying to remove 'helper' configuration
when it is not present) as errors. Instead, just ignore these. This is
more in line with other behavior.

Signed-off-by: Vivek Venkatraman <vivek@nvidia.com>

Ticket: #2736244, #2736249
Testing Done:
1. Manual testing - documented in the RM tickets
2. Precommit - user job FRRouting#15 - 1 failure seen is existing failure
Pdoijode pushed a commit to Pdoijode/frr that referenced this pull request Aug 19, 2025
@vivek-cumulus @Pdoijode
bgpd: Ignore peer GR commands that are effectively not operable
5c1870f 
The code used to treat a repeated GR configuration on a peer or some
other inappropriate command (e.g., trying to remove 'helper' configuration
when it is not present) as errors. Instead, just ignore these. This is
more in line with other behavior.

Signed-off-by: Vivek Venkatraman <vivek@nvidia.com>

Ticket: #2736244, #2736249
Testing Done:
1. Manual testing - documented in the RM tickets
2. Precommit - user job FRRouting#15 - 1 failure seen is existing failure
pguibert6WIND added a commit to pguibert6WIND/frr that referenced this pull request Aug 20, 2025
@pguibert6WIND
bgpd: fix crash when reconfiguring func-bits value in locator
0462795 
The following crash happens on a BGP setup with SRv6 used, when locator
is updated with the func-bits value moving from 32 bits to 16 bits.

> FRRouting#6  0x000061582b486b5c in memcpy (__len=<optimized out>, __src=<optimized out>, __dest=<optimized out>)
>     at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
> FRRouting#7  vpn_leak_from_vrf_update (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040,
>     path_vrf=path_vrf@entry=0x6158364ef110) at bgpd/bgp_mplsvpn.c:2010
> FRRouting#8  0x000061582b48758b in vpn_leak_from_vrf_update_all (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040,
>     afi=<optimized out>) at bgpd/bgp_mplsvpn.c:2215
> FRRouting#9  0x000061582b48774d in vpn_leak_postchange (afi=afi@entry=AFI_IP, bgp_vpn=bgp_vpn@entry=0x6158364a0340,
>     bgp_vrf=bgp_vrf@entry=0x6158364c1040, direction=BGP_VPN_POLICY_DIR_TOVPN) at ./bgpd/bgp_mplsvpn.h:313
> FRRouting#10 0x000061582b489b4b in vpn_leak_postchange (bgp_vrf=0x6158364c1040, bgp_vpn=0x6158364a0340, afi=AFI_IP, direction=BGP_VPN_POLICY_DIR_TOVPN)
>     at ./bgpd/bgp_mplsvpn.h:273
> FRRouting#11 vpn_leak_postchange_all () at bgpd/bgp_mplsvpn.c:3978
> FRRouting#12 0x000061582b5219d5 in bgp_zebra_process_srv6_locator_delete (cmd=<optimized out>, zclient=<optimized out>, length=<optimized out>,
>     vrf_id=<optimized out>) at bgpd/bgp_zebra.c:3874
> FRRouting#13 0x0000766887b391ee in zclient_read (thread=<optimized out>) at lib/zclient.c:4804
> FRRouting#14 0x0000766887b2245e in event_call (thread=thread@entry=0x7ffc86531a30) at lib/event.c:2005
> FRRouting#15 0x0000766887ac2ed8 in frr_run (loop=0x615835c46fd0) at lib/libfrr.c:1252
> FRRouting#16 0x000061582b428163 in main (argc=<optimized out>, argv=0x7ffc86531cf8) at bgpd/bgp_main.c:565
> (gdb)
>

Actually, the SID allocated has been freed after the locator deleted
event. Protect this part of code by checking the availability of the
sid pointer.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
pguibert6WIND pushed a commit to pguibert6WIND/frr that referenced this pull request Aug 20, 2025
@dmytroshytyi-6WIND @pguibert6WIND
bgpd: fix srv6 align the sid_func with wlib array boundaries
f65e0b6 
The topotest bgp_srv6_sid_explicit generates the crash dump:

ERROR: SEGV on unknown address 0x5110002dba30 (pc 0x55a58a813379 bp 0x7ffd2cc8ec50 sp 0x7ffd2cc8ec00 T0)
The signal is caused by a READ memory access.
    #0 0x55a58a813379 in alloc_srv6_sid_func_explicit zebra/zebra_srv6.c:1264
    FRRouting#1 0x55a58a815138 in get_srv6_sid_explicit zebra/zebra_srv6.c:1611
    FRRouting#2 0x55a58a8166bb in get_srv6_sid zebra/zebra_srv6.c:1807
    FRRouting#3 0x55a58a8191ef in srv6_manager_get_sid_internal zebra/zebra_srv6.c:2314
    FRRouting#4 0x55a58a80c0aa in hook_call_srv6_manager_get_sid zebra/zebra_srv6.c:67
    FRRouting#5 0x55a58a80c671 in srv6_manager_get_sid_call zebra/zebra_srv6.c:115
    FRRouting#6 0x55a58a78e956 in zread_srv6_manager_get_srv6_sid zebra/zapi_msg.c:3245
    FRRouting#7 0x55a58a78f1d8 in zread_srv6_manager_request zebra/zapi_msg.c:3313
    FRRouting#8 0x55a58a799321 in zserv_handle_commands zebra/zapi_msg.c:4425
    FRRouting#9 0x55a58a92473c in zserv_process_messages zebra/zserv.c:521
    FRRouting#10 0x781c0f978970 in event_call lib/event.c:2011
    FRRouting#11 0x781c0f843d11 in frr_run lib/libfrr.c:1219
    FRRouting#12 0x55a58a73079d in main zebra/main.c:550
    FRRouting#13 0x781c0f22a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    FRRouting#14 0x781c0f22a28a in __libc_start_main_impl ../csu/libc-start.c:360
    FRRouting#15 0x55a58a6ec2b4 in _start (/usr/lib/frr/zebra+0x1d02b4)

Fixes: 4e4588fa8f ("zebra: Add functions to alloc/release SRv6 SIDs")

Signed-off-by: Dmytro Shytyi <dmytro.shytyi@6wind.com>
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
Pdoijode pushed a commit to Pdoijode/frr that referenced this pull request Aug 20, 2025
@vivek-cumulus @Pdoijode
bgpd: Ignore peer GR commands that are effectively not operable
e97a652 
The code used to treat a repeated GR configuration on a peer or some
other inappropriate command (e.g., trying to remove 'helper' configuration
when it is not present) as errors. Instead, just ignore these. This is
more in line with other behavior.

Signed-off-by: Vivek Venkatraman <vivek@nvidia.com>

Ticket: #2736244, #2736249
Testing Done:
1. Manual testing - documented in the RM tickets
2. Precommit - user job FRRouting#15 - 1 failure seen is existing failure
pguibert6WIND added a commit to pguibert6WIND/frr that referenced this pull request Aug 22, 2025
@pguibert6WIND
bgpd: fix crash when reconfiguring func-bits value in locator
47949da 
The following crash happens on a BGP setup with SRv6 used, when locator
is updated with the func-bits value moving from 32 bits to 16 bits.

> FRRouting#6  0x000061582b486b5c in memcpy (__len=<optimized out>, __src=<optimized out>, __dest=<optimized out>)
>     at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
> FRRouting#7  vpn_leak_from_vrf_update (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040,
>     path_vrf=path_vrf@entry=0x6158364ef110) at bgpd/bgp_mplsvpn.c:2010
> FRRouting#8  0x000061582b48758b in vpn_leak_from_vrf_update_all (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040,
>     afi=<optimized out>) at bgpd/bgp_mplsvpn.c:2215
> FRRouting#9  0x000061582b48774d in vpn_leak_postchange (afi=afi@entry=AFI_IP, bgp_vpn=bgp_vpn@entry=0x6158364a0340,
>     bgp_vrf=bgp_vrf@entry=0x6158364c1040, direction=BGP_VPN_POLICY_DIR_TOVPN) at ./bgpd/bgp_mplsvpn.h:313
> FRRouting#10 0x000061582b489b4b in vpn_leak_postchange (bgp_vrf=0x6158364c1040, bgp_vpn=0x6158364a0340, afi=AFI_IP, direction=BGP_VPN_POLICY_DIR_TOVPN)
>     at ./bgpd/bgp_mplsvpn.h:273
> FRRouting#11 vpn_leak_postchange_all () at bgpd/bgp_mplsvpn.c:3978
> FRRouting#12 0x000061582b5219d5 in bgp_zebra_process_srv6_locator_delete (cmd=<optimized out>, zclient=<optimized out>, length=<optimized out>,
>     vrf_id=<optimized out>) at bgpd/bgp_zebra.c:3874
> FRRouting#13 0x0000766887b391ee in zclient_read (thread=<optimized out>) at lib/zclient.c:4804
> FRRouting#14 0x0000766887b2245e in event_call (thread=thread@entry=0x7ffc86531a30) at lib/event.c:2005
> FRRouting#15 0x0000766887ac2ed8 in frr_run (loop=0x615835c46fd0) at lib/libfrr.c:1252
> FRRouting#16 0x000061582b428163 in main (argc=<optimized out>, argv=0x7ffc86531cf8) at bgpd/bgp_main.c:565
> (gdb)
>

Actually, the SID allocated has been freed after the locator deleted
event. Protect this part of code by checking the availability of the
sid pointer.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
pguibert6WIND pushed a commit to pguibert6WIND/frr that referenced this pull request Aug 22, 2025
@dmytroshytyi-6WIND @pguibert6WIND
bgpd: fix srv6 align the sid_func with wlib array boundaries
b5ebec6 
The topotest bgp_srv6_sid_explicit generates the crash dump:

ERROR: SEGV on unknown address 0x5110002dba30 (pc 0x55a58a813379 bp 0x7ffd2cc8ec50 sp 0x7ffd2cc8ec00 T0)
The signal is caused by a READ memory access.
    #0 0x55a58a813379 in alloc_srv6_sid_func_explicit zebra/zebra_srv6.c:1264
    FRRouting#1 0x55a58a815138 in get_srv6_sid_explicit zebra/zebra_srv6.c:1611
    FRRouting#2 0x55a58a8166bb in get_srv6_sid zebra/zebra_srv6.c:1807
    FRRouting#3 0x55a58a8191ef in srv6_manager_get_sid_internal zebra/zebra_srv6.c:2314
    FRRouting#4 0x55a58a80c0aa in hook_call_srv6_manager_get_sid zebra/zebra_srv6.c:67
    FRRouting#5 0x55a58a80c671 in srv6_manager_get_sid_call zebra/zebra_srv6.c:115
    FRRouting#6 0x55a58a78e956 in zread_srv6_manager_get_srv6_sid zebra/zapi_msg.c:3245
    FRRouting#7 0x55a58a78f1d8 in zread_srv6_manager_request zebra/zapi_msg.c:3313
    FRRouting#8 0x55a58a799321 in zserv_handle_commands zebra/zapi_msg.c:4425
    FRRouting#9 0x55a58a92473c in zserv_process_messages zebra/zserv.c:521
    FRRouting#10 0x781c0f978970 in event_call lib/event.c:2011
    FRRouting#11 0x781c0f843d11 in frr_run lib/libfrr.c:1219
    FRRouting#12 0x55a58a73079d in main zebra/main.c:550
    FRRouting#13 0x781c0f22a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    FRRouting#14 0x781c0f22a28a in __libc_start_main_impl ../csu/libc-start.c:360
    FRRouting#15 0x55a58a6ec2b4 in _start (/usr/lib/frr/zebra+0x1d02b4)

Fixes: 4e4588fa8f ("zebra: Add functions to alloc/release SRv6 SIDs")

Signed-off-by: Dmytro Shytyi <dmytro.shytyi@6wind.com>
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
Pdoijode pushed a commit to Pdoijode/frr that referenced this pull request Aug 27, 2025
@vivek-cumulus @Pdoijode
bgpd: Ignore peer GR commands that are effectively not operable
e64de95 
The code used to treat a repeated GR configuration on a peer or some
other inappropriate command (e.g., trying to remove 'helper' configuration
when it is not present) as errors. Instead, just ignore these. This is
more in line with other behavior.

Signed-off-by: Vivek Venkatraman <vivek@nvidia.com>

Ticket: #2736244, #2736249
Testing Done:
1. Manual testing - documented in the RM tickets
2. Precommit - user job FRRouting#15 - 1 failure seen is existing failure
pguibert6WIND added a commit to pguibert6WIND/frr that referenced this pull request Aug 29, 2025
@pguibert6WIND
bgpd: fix crash when reconfiguring func-bits value in locator
6a409b3 
The following crash happens on a BGP setup with SRv6 used, when locator
is updated with the func-bits value moving from 32 bits to 16 bits.

> FRRouting#6  0x000061582b486b5c in memcpy (__len=<optimized out>, __src=<optimized out>, __dest=<optimized out>)
>     at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
> FRRouting#7  vpn_leak_from_vrf_update (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040,
>     path_vrf=path_vrf@entry=0x6158364ef110) at bgpd/bgp_mplsvpn.c:2010
> FRRouting#8  0x000061582b48758b in vpn_leak_from_vrf_update_all (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040,
>     afi=<optimized out>) at bgpd/bgp_mplsvpn.c:2215
> FRRouting#9  0x000061582b48774d in vpn_leak_postchange (afi=afi@entry=AFI_IP, bgp_vpn=bgp_vpn@entry=0x6158364a0340,
>     bgp_vrf=bgp_vrf@entry=0x6158364c1040, direction=BGP_VPN_POLICY_DIR_TOVPN) at ./bgpd/bgp_mplsvpn.h:313
> FRRouting#10 0x000061582b489b4b in vpn_leak_postchange (bgp_vrf=0x6158364c1040, bgp_vpn=0x6158364a0340, afi=AFI_IP, direction=BGP_VPN_POLICY_DIR_TOVPN)
>     at ./bgpd/bgp_mplsvpn.h:273
> FRRouting#11 vpn_leak_postchange_all () at bgpd/bgp_mplsvpn.c:3978
> FRRouting#12 0x000061582b5219d5 in bgp_zebra_process_srv6_locator_delete (cmd=<optimized out>, zclient=<optimized out>, length=<optimized out>,
>     vrf_id=<optimized out>) at bgpd/bgp_zebra.c:3874
> FRRouting#13 0x0000766887b391ee in zclient_read (thread=<optimized out>) at lib/zclient.c:4804
> FRRouting#14 0x0000766887b2245e in event_call (thread=thread@entry=0x7ffc86531a30) at lib/event.c:2005
> FRRouting#15 0x0000766887ac2ed8 in frr_run (loop=0x615835c46fd0) at lib/libfrr.c:1252
> FRRouting#16 0x000061582b428163 in main (argc=<optimized out>, argv=0x7ffc86531cf8) at bgpd/bgp_main.c:565
> (gdb)
>

Actually, the SID allocated has been freed after the locator deleted
event. Protect this part of code by checking the availability of the
sid pointer.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
pguibert6WIND pushed a commit to pguibert6WIND/frr that referenced this pull request Aug 29, 2025
@dmytroshytyi-6WIND @pguibert6WIND
bgpd: fix srv6 align the sid_func with wlib array boundaries
ad9273e 
The topotest bgp_srv6_sid_explicit generates the crash dump:

ERROR: SEGV on unknown address 0x5110002dba30 (pc 0x55a58a813379 bp 0x7ffd2cc8ec50 sp 0x7ffd2cc8ec00 T0)
The signal is caused by a READ memory access.
    #0 0x55a58a813379 in alloc_srv6_sid_func_explicit zebra/zebra_srv6.c:1264
    FRRouting#1 0x55a58a815138 in get_srv6_sid_explicit zebra/zebra_srv6.c:1611
    FRRouting#2 0x55a58a8166bb in get_srv6_sid zebra/zebra_srv6.c:1807
    FRRouting#3 0x55a58a8191ef in srv6_manager_get_sid_internal zebra/zebra_srv6.c:2314
    FRRouting#4 0x55a58a80c0aa in hook_call_srv6_manager_get_sid zebra/zebra_srv6.c:67
    FRRouting#5 0x55a58a80c671 in srv6_manager_get_sid_call zebra/zebra_srv6.c:115
    FRRouting#6 0x55a58a78e956 in zread_srv6_manager_get_srv6_sid zebra/zapi_msg.c:3245
    FRRouting#7 0x55a58a78f1d8 in zread_srv6_manager_request zebra/zapi_msg.c:3313
    FRRouting#8 0x55a58a799321 in zserv_handle_commands zebra/zapi_msg.c:4425
    FRRouting#9 0x55a58a92473c in zserv_process_messages zebra/zserv.c:521
    FRRouting#10 0x781c0f978970 in event_call lib/event.c:2011
    FRRouting#11 0x781c0f843d11 in frr_run lib/libfrr.c:1219
    FRRouting#12 0x55a58a73079d in main zebra/main.c:550
    FRRouting#13 0x781c0f22a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    FRRouting#14 0x781c0f22a28a in __libc_start_main_impl ../csu/libc-start.c:360
    FRRouting#15 0x55a58a6ec2b4 in _start (/usr/lib/frr/zebra+0x1d02b4)

Fixes: 4e4588fa8f ("zebra: Add functions to alloc/release SRv6 SIDs")

Signed-off-by: Dmytro Shytyi <dmytro.shytyi@6wind.com>
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@donaldsharp donaldsharp donaldsharp left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@louberger @eqvinox @donaldsharp @gpziemba