Bgpafisafi #1
Closed
Bgpafisafi #1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Allow the specification of a VRF_ALL to be used for CLI. Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
The show_adj_route_vpn function is only currently used in conjunction with the KEEP_OLD_VPN_COMMANDS #define. Add this function to that define for the moment. Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
The bgp_parse_safi function is never called remove it. Especially as that later commits will properly handle what this function was trying to do. Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
The parser was incorrect for the 'set ... vpn nexthop ...' commands. Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
Create bgp_vty_find_and_parse_afi_safi_vrf that will parse the `show [ip] bgp [<view|vrf> WORD] [<ipv4|ipv6> [<unicast|multicast|vpn|encap>]]' part of a command and to return the correct spot we are in the command. Cleanup 'dampening parameters' part of this command. Consolidate the creation of the bgp data structure to be a bit cleaner. Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
Cleanup the bgp bestpath or multipath show commands. Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
Fix this command to use the correct format for a show command. Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
1) Make [<view|vrf> WORD] consistent 2) Fix inconsistent help string 3) Fix the show .. vrf all command Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
mwinter-osr
added a commit
that referenced
this pull request
Feb 7, 2017
…rminated (BUFFER_SIZE_WARNING) Coverity: buffer_size_warning: Calling strncpy with a maximum size argument of 100 bytes on destination array pid_file of size 100 bytes might leave the destination string unterminated. Signed-off-by: Martin Winter <mwinter@opensourcerouting.org>
mwinter-osr
added a commit
that referenced
this pull request
Feb 7, 2017
… too small (BUFFER_SIZE) Coverity: buffer_size: You might overrun the 108 byte destination string addr.sun_path by writing the maximum 4095 bytes from path. Signed-off-by: Martin Winter <mwinter@opensourcerouting.org>
mwinter-osr
added a commit
that referenced
this pull request
Feb 7, 2017
…TCH) Needs to be size of correct structure (prefix instead of prefix_ipv4) Signed-off-by: Martin Winter <mwinter@opensourcerouting.org>
mwinter-osr
added a commit
that referenced
this pull request
Feb 7, 2017
…ERFLOW) Coverity: string_overflow: You might overrun the 100-character destination string vty_path by writing 4096 characters from vty_sock_path. Signed-off-by: Martin Winter <mwinter@opensourcerouting.org>
mwinter-osr
added a commit
that referenced
this pull request
Feb 10, 2017
…rminated (BUFFER_SIZE_WARNING) Coverity: buffer_size_warning: Calling strncpy with a maximum size argument of 100 bytes on destination array pid_file of size 100 bytes might leave the destination string unterminated. Signed-off-by: Martin Winter <mwinter@opensourcerouting.org>
mwinter-osr
added a commit
that referenced
this pull request
Feb 10, 2017
… too small (BUFFER_SIZE) Coverity: buffer_size: You might overrun the 108 byte destination string addr.sun_path by writing the maximum 4095 bytes from path. Signed-off-by: Martin Winter <mwinter@opensourcerouting.org>
mwinter-osr
added a commit
that referenced
this pull request
Feb 10, 2017
…TCH) Needs to be size of correct structure (prefix instead of prefix_ipv4) Signed-off-by: Martin Winter <mwinter@opensourcerouting.org>
mwinter-osr
added a commit
that referenced
this pull request
Feb 10, 2017
…ERFLOW) Coverity: string_overflow: You might overrun the 100-character destination string vty_path by writing 4096 characters from vty_sock_path. Signed-off-by: Martin Winter <mwinter@opensourcerouting.org>
mwinter-osr
pushed a commit
that referenced
this pull request
Sep 28, 2017
Signed-off-by: Daniel Walton <dwalton@cumulusnetworks.com> Before ====== cel-redxp-10# show ip bgp 20.1.3.0/24 BGP routing table entry for 20.1.3.0/24 Paths: (1 available, best #1, table Default-IP-Routing-Table) Advertised to non peer-group peers: top1(10.1.1.2) bottom0(20.1.2.2) 4294967292 20.1.2.2 from bottom0(20.1.2.2) (20.1.1.1) Origin IGP, metric 0, localpref 100, valid, external, bestpath-from-AS -4, best Community: 99:1 AddPath ID: RX 0, TX 92 Last update: Wed Sep 27 16:02:34 2017 cel-redxp-10# After ===== cel-redxp-10# show ip bgp 20.1.3.0/24 BGP routing table entry for 20.1.3.0/24 Paths: (1 available, best #1, table Default-IP-Routing-Table) Advertised to non peer-group peers: bottom0(20.1.2.2) 4294967292 20.1.2.2 from bottom0(20.1.2.2) (20.1.1.1) Origin IGP, metric 0, localpref 100, valid, external, bestpath-from-AS 4294967292, best Community: 99:1 AddPath ID: RX 0, TX 2 Last update: Wed Sep 27 16:07:09 2017 cel-redxp-10#
mwinter-osr
pushed a commit
that referenced
this pull request
Jul 27, 2018
bgpd: changes for crash seen in BGP on "no rt vpn" bug Id 2667
mwinter-osr
pushed a commit
that referenced
this pull request
Aug 3, 2018
Avoid displaying default configured local preference as part of bgp route's detail output. Local preference is for iBGP learnt route's. The value could be default (100) or configured value (via routemap or local pref config cmd). show bgp afi safi (brief output) does not display, if the local pref attribute is not set. Similarly, show bgp afi safi detail route output should display if the the attribute is set, and should not display configured value. This way both output would be consistent. The configured local preference can be seen via running-config. Ticket:CM-12769 Reviewed By: Testing Done: eBGP output: show bgp ipv4 45.0.3.0/24 BGP routing table entry for 45.0.3.0/24 Paths: (1 available, best #1, table default) Advertised to non peer-group peers: MSP1(uplink-1) MSP2(uplink-2) Local 0.0.0.0 from 0.0.0.0 (27.0.0.9) Origin incomplete, metric 0, weight 32768, valid,sourced, bestpath-from-AS Local, best AddPath ID: RX 0, TX 7 Last update: Thu Jul 26 02:10:02 2018 iBGP output: show bgp ipv4 unicast 6.0.0.16/32 BGP routing table entry for 6.0.0.16/32 Paths: (1 available, best #1, table default) Not advertised to any peer Local 6.0.0.16 (metric 20) from tor-12(6.0.0.16) (6.0.0.16) Origin incomplete, metric 0, localpref 100, valid, internal, bestpath-from-AS Local, best AddPath ID: RX 0, TX 13 Last update: Thu Jul 26 05:26:18 2018 Signed-off-by: Chirag Shah <chirag@cumulusnetworks.com>
mwinter-osr
pushed a commit
that referenced
this pull request
Sep 10, 2018
updateing to latest FRRrouting
eqvinox
pushed a commit
that referenced
this pull request
Nov 13, 2018
This commit introduces lib/id_alloc, which has facilities for both an ID number allocator, and less efficient ID holding pools. The pools are meant to be a temporary holding area for ID numbers meant to be re-used, and are implemented as a linked-list stack. The allocator itself is much more efficient with memory. Based on sizeof values on my 64 bit desktop, the allocator requires around 155 KiB per million IDs tracked. IDs are ultimately tracked in a bit-map split into many "pages." The allocator tracks a list of pages that have free bits, and which sections of each page have free IDs, so there isn't any scanning required to find a free ID. (The library utility ffs, or "Find First Set," is generally a single CPU instruction.) At the moment, totally empty pages will not be freed, so the memory utilization of this allocator will remain at the high water mark. The initial intended use case is for BGP's TX Addpath IDs to be pulled from an allocator that tracks which IDs are in use, rather than a free running counter. The allocator reserves ID #0 as a sentinel value for an invalid ID numbers, and BGP will want ID #1 reserved as well. To support this, the allocator allows for IDs to be explicitly reserved, though be aware this is only practical to use with low numbered IDs because the allocator must allocate pages in order. Signed-off-by Mitchell Skiba <mskiba@amazon.com>
cfra
pushed a commit
that referenced
this pull request
Nov 29, 2018
Update Readme to have correct ordering for frr user
rwestphal
added a commit
that referenced
this pull request
Dec 31, 2018
Fixes the following warning when running ripngd with valgrind: ==38== Syscall param sendmsg(msg.msg_control) points to uninitialised byte(s) ==38== at 0x5EA1E47: sendmsg (sendmsg.c:28) ==38== by 0x118C48: ripng_send_packet (ripngd.c:226) ==38== by 0x11D1D6: ripng_request (ripngd.c:1924) ==38== by 0x120BD8: ripng_interface_wakeup (ripng_interface.c:666) ==38== by 0x4ECB4B4: thread_call (thread.c:1601) ==38== by 0x4E8D9CE: frr_run (libfrr.c:1011) ==38== by 0x1121C8: main (ripng_main.c:180) ==38== Address 0xffefffc34 is on thread 1's stack ==38== in frame #1, created by ripng_send_packet (ripngd.c:172) Signed-off-by: Renato Westphal <renato@opensourcerouting.org>
NetDEF-CI
pushed a commit
that referenced
this pull request
Mar 14, 2025
The command `show bgp <afi> <safi>` has this output: r1# show bgp ipv4 uni 10.0.0.0 BGP routing table entry for 10.0.0.0/32, version 1 Paths: (1 available, best #1, table default) Advertised to non peer-group peers: r1-eth0 r1-eth1 r1-eth2 r1-eth3 .... It specifically states `Advertised to non peer-group peers:` yet the code is not filtering those out. Signed-off-by: Donald Sharp <sharpd@nvidia.com>
NetDEF-CI
pushed a commit
that referenced
this pull request
Apr 11, 2025
> ==713776==ERROR: LeakSanitizer: detected memory leaks > > Direct leak of 120 byte(s) in 1 object(s) allocated from: > #0 0x7fdfcbeb4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 > #1 0x7fdfcb86f8dd in qcalloc lib/memory.c:105 > #2 0x55ce707739b6 in isis_tlvs_find_alloc_asla isisd/isis_tlvs.c:8500 > #3 0x55ce7072fae0 in isis_link_params_update_asla isisd/isis_te.c:191 > #4 0x55ce70733881 in isis_link_params_update isisd/isis_te.c:499 > #5 0x55ce70693f2a in isis_circuit_up isisd/isis_circuit.c:776 > #6 0x55ce7069a120 in isis_csm_state_change isisd/isis_csm.c:135 > #7 0x55ce7068dd80 in isis_circuit_enable isisd/isis_circuit.c:79 > #8 0x55ce70699346 in isis_ifp_create isisd/isis_circuit.c:1618 > #9 0x7fdfcb81f47f in hook_call_if_real lib/if.c:55 > #10 0x7fdfcb82056e in if_new_via_zapi lib/if.c:188 > #11 0x7fdfcb9d17da in zclient_interface_add lib/zclient.c:2706 > #12 0x7fdfcb9df842 in zclient_read lib/zclient.c:4843 > #13 0x7fdfcb97798e in event_call lib/event.c:2011 > #14 0x7fdfcb842ff1 in frr_run lib/libfrr.c:1216 > #15 0x55ce7067cbf2 in main isisd/isis_main.c:360 > #16 0x7fdfcb229d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > > Indirect leak of 8 byte(s) in 1 object(s) allocated from: > #0 0x7fdfcbeb4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 > #1 0x7fdfcb86f8dd in qcalloc lib/memory.c:105 > #2 0x7fdfcb79a7b7 in admin_group_init lib/admin_group.c:186 > #3 0x55ce707739ca in isis_tlvs_find_alloc_asla isisd/isis_tlvs.c:8501 > #4 0x55ce7072fae0 in isis_link_params_update_asla isisd/isis_te.c:191 > #5 0x55ce70733881 in isis_link_params_update isisd/isis_te.c:499 > #6 0x55ce70693f2a in isis_circuit_up isisd/isis_circuit.c:776 > #7 0x55ce7069a120 in isis_csm_state_change isisd/isis_csm.c:135 > #8 0x55ce7068dd80 in isis_circuit_enable isisd/isis_circuit.c:79 > #9 0x55ce70699346 in isis_ifp_create isisd/isis_circuit.c:1618 > #10 0x7fdfcb81f47f in hook_call_if_real lib/if.c:55 > #11 0x7fdfcb82056e in if_new_via_zapi lib/if.c:188 > #12 0x7fdfcb9d17da in zclient_interface_add lib/zclient.c:2706 > #13 0x7fdfcb9df842 in zclient_read lib/zclient.c:4843 > #14 0x7fdfcb97798e in event_call lib/event.c:2011 > #15 0x7fdfcb842ff1 in frr_run lib/libfrr.c:1216 > #16 0x55ce7067cbf2 in main isisd/isis_main.c:360 > #17 0x7fdfcb229d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 PR: 95719 Fixes: 5749ac8 ("isisd: add ASLA support") Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>
NetDEF-CI
pushed a commit
that referenced
this pull request
Apr 11, 2025
We are obviously doing deleting on wrong object. > Direct leak of 40 byte(s) in 1 object(s) allocated from: > #0 0x7fcf718b4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 > #1 0x7fcf7126f8dd in qcalloc lib/memory.c:105 > #2 0x7fcf7124401a in list_new lib/linklist.c:49 > #3 0x55771621d86d in pbr_iptable_alloc_intern zebra/zebra_pbr.c:1015 > #4 0x7fcf71217d79 in hash_get lib/hash.c:147 > #5 0x55771621dad3 in zebra_pbr_add_iptable zebra/zebra_pbr.c:1030 > #6 0x55771614d00c in zread_iptable zebra/zapi_msg.c:4131 > #7 0x55771614e586 in zserv_handle_commands zebra/zapi_msg.c:4424 > #8 0x5577162dae2c in zserv_process_messages zebra/zserv.c:521 > #9 0x7fcf7137798e in event_call lib/event.c:2011 > #10 0x7fcf71242ff1 in frr_run lib/libfrr.c:1216 > #11 0x5577160e4d6d in main zebra/main.c:540 > #12 0x7fcf70c29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > > Indirect leak of 24 byte(s) in 1 object(s) allocated from: > #0 0x7fcf718b4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 > #1 0x7fcf7126f8dd in qcalloc lib/memory.c:105 > #2 0x7fcf71244129 in listnode_new lib/linklist.c:71 > #3 0x7fcf71244238 in listnode_add lib/linklist.c:92 > #4 0x55771621d938 in pbr_iptable_alloc_intern zebra/zebra_pbr.c:1019 > #5 0x7fcf71217d79 in hash_get lib/hash.c:147 > #6 0x55771621dad3 in zebra_pbr_add_iptable zebra/zebra_pbr.c:1030 > #7 0x55771614d00c in zread_iptable zebra/zapi_msg.c:4131 > #8 0x55771614e586 in zserv_handle_commands zebra/zapi_msg.c:4424 > #9 0x5577162dae2c in zserv_process_messages zebra/zserv.c:521 > #10 0x7fcf7137798e in event_call lib/event.c:2011 > #11 0x7fcf71242ff1 in frr_run lib/libfrr.c:1216 > #12 0x5577160e4d6d in main zebra/main.c:540 > #13 0x7fcf70c29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Fixes: f80ec7e ("zebra: handle iptable list of interfaces") Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>
NetDEF-CI
pushed a commit
that referenced
this pull request
Apr 15, 2025
> ==238132==ERROR: LeakSanitizer: detected memory leaks > > Direct leak of 160 byte(s) in 1 object(s) allocated from: > #0 0x7fd79f0b4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 > #1 0x7fd79ea6f8dd in qcalloc lib/memory.c:105 > #2 0x5586b26995f9 in bgp_pbr_match_entry_alloc_intern bgpd/bgp_pbr.c:1155 > #3 0x7fd79ea17d79 in hash_get lib/hash.c:147 > #4 0x5586b26a551d in bgp_pbr_policyroute_add_to_zebra_unit bgpd/bgp_pbr.c:2522 > #5 0x5586b26a6436 in bgp_pbr_policyroute_add_to_zebra bgpd/bgp_pbr.c:2672 > #6 0x5586b26a8089 in bgp_pbr_handle_entry bgpd/bgp_pbr.c:2876 > #7 0x5586b26a8912 in bgp_pbr_update_entry bgpd/bgp_pbr.c:2939 > #8 0x5586b2829472 in bgp_zebra_announce bgpd/bgp_zebra.c:1618 > #9 0x5586b282ab4b in bgp_zebra_announce_table bgpd/bgp_zebra.c:1766 > #10 0x5586b2824b99 in bgp_zebra_tm_connect bgpd/bgp_zebra.c:1091 > #11 0x7fd79eb7798e in event_call lib/event.c:2011 > #12 0x7fd79ea42ff1 in frr_run lib/libfrr.c:1216 > #13 0x5586b2503a15 in main bgpd/bgp_main.c:545 > #14 0x7fd79e429d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Fixes: d114b0d ("bgpd: inject policy route entry from bgp into zebra pbr entries.") Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>
NetDEF-CI
pushed a commit
that referenced
this pull request
Apr 15, 2025
> Direct leak of 1144 byte(s) in 13 object(s) allocated from: > #0 0x7f3eedeb4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 > #1 0x7f3eed86f8dd in qcalloc lib/memory.c:105 > #2 0x55b32d236faf in bgp_pbr_match_alloc_intern bgpd/bgp_pbr.c:1074 > #3 0x7f3eed817d79 in hash_get lib/hash.c:147 > #4 0x55b32d242d9a in bgp_pbr_policyroute_add_to_zebra_unit bgpd/bgp_pbr.c:2486 > #5 0x55b32d244436 in bgp_pbr_policyroute_add_to_zebra bgpd/bgp_pbr.c:2672 > #6 0x55b32d245a05 in bgp_pbr_handle_entry bgpd/bgp_pbr.c:2843 > #7 0x55b32d246912 in bgp_pbr_update_entry bgpd/bgp_pbr.c:2939 > #8 0x55b32d3c7472 in bgp_zebra_announce bgpd/bgp_zebra.c:1618 > #9 0x55b32d26e5e7 in bgp_process_main_one bgpd/bgp_route.c:3691 > #10 0x55b32d26f77d in process_subq_other_route bgpd/bgp_route.c:3856 > #11 0x55b32d2701ff in process_subq bgpd/bgp_route.c:3955 > #12 0x55b32d27029f in meta_queue_process bgpd/bgp_route.c:3980 > #13 0x7f3eed99fdd8 in work_queue_run lib/workqueue.c:282 > #14 0x7f3eed97798e in event_call lib/event.c:2011 > #15 0x7f3eed842ff1 in frr_run lib/libfrr.c:1216 > #16 0x55b32d0a1a15 in main bgpd/bgp_main.c:545 > #17 0x7f3eed229d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Fixes: d114b0d ("bgpd: inject policy route entry from bgp into zebra pbr entries.") Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>
NetDEF-CI
pushed a commit
that referenced
this pull request
Apr 15, 2025
Note that bgp_pbr_policyroute_add_from_zebra() and bgp_pbr_policyroute_remove_from_zebra() are only called from bgp_pbr_handle_entry(). > ==966967==ERROR: LeakSanitizer: detected memory leaks > > Direct leak of 40 byte(s) in 1 object(s) allocated from: > #0 0x7fd447ab4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 > #1 0x7fd44746f8dd in qcalloc lib/memory.c:105 > #2 0x7fd44744401a in list_new lib/linklist.c:49 > #3 0x560f8c094490 in bgp_pbr_handle_entry bgpd/bgp_pbr.c:2818 > #4 0x560f8c095993 in bgp_pbr_update_entry bgpd/bgp_pbr.c:2941 > #5 0x560f8c2164f3 in bgp_zebra_announce bgpd/bgp_zebra.c:1618 > #6 0x560f8c0bd668 in bgp_process_main_one bgpd/bgp_route.c:3691 > #7 0x560f8c0be7fe in process_subq_other_route bgpd/bgp_route.c:3856 > #8 0x560f8c0bf280 in process_subq bgpd/bgp_route.c:3955 > #9 0x560f8c0bf320 in meta_queue_process bgpd/bgp_route.c:3980 > #10 0x7fd44759fdfc in work_queue_run lib/workqueue.c:282 > #11 0x7fd4475779b2 in event_call lib/event.c:2011 > #12 0x7fd447442ff1 in frr_run lib/libfrr.c:1216 > #13 0x560f8bef0a15 in main bgpd/bgp_main.c:545 > #14 0x7fd446e29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > > Direct leak of 40 byte(s) in 1 object(s) allocated from: > #0 0x7fd447ab4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 > #1 0x7fd44746f8dd in qcalloc lib/memory.c:105 > #2 0x7fd44744401a in list_new lib/linklist.c:49 > #3 0x560f8c09439d in bgp_pbr_handle_entry bgpd/bgp_pbr.c:2812 > #4 0x560f8c095993 in bgp_pbr_update_entry bgpd/bgp_pbr.c:2941 > #5 0x560f8c2164f3 in bgp_zebra_announce bgpd/bgp_zebra.c:1618 > #6 0x560f8c0bd668 in bgp_process_main_one bgpd/bgp_route.c:3691 > #7 0x560f8c0be7fe in process_subq_other_route bgpd/bgp_route.c:3856 > #8 0x560f8c0bf280 in process_subq bgpd/bgp_route.c:3955 > #9 0x560f8c0bf320 in meta_queue_process bgpd/bgp_route.c:3980 > #10 0x7fd44759fdfc in work_queue_run lib/workqueue.c:282 > #11 0x7fd4475779b2 in event_call lib/event.c:2011 > #12 0x7fd447442ff1 in frr_run lib/libfrr.c:1216 > #13 0x560f8bef0a15 in main bgpd/bgp_main.c:545 > #14 0x7fd446e29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > > Direct leak of 4 byte(s) in 1 object(s) allocated from: > #0 0x7fd447ab4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 > #1 0x7fd44746f8dd in qcalloc lib/memory.c:105 > #2 0x560f8c080cec in bgp_pbr_extract_enumerate_unary bgpd/bgp_pbr.c:362 > #3 0x560f8c080f7e in bgp_pbr_extract_enumerate bgpd/bgp_pbr.c:400 > #4 0x560f8c094530 in bgp_pbr_handle_entry bgpd/bgp_pbr.c:2819 > #5 0x560f8c095993 in bgp_pbr_update_entry bgpd/bgp_pbr.c:2941 > #6 0x560f8c2164f3 in bgp_zebra_announce bgpd/bgp_zebra.c:1618 > #7 0x560f8c0bd668 in bgp_process_main_one bgpd/bgp_route.c:3691 > #8 0x560f8c0be7fe in process_subq_other_route bgpd/bgp_route.c:3856 > #9 0x560f8c0bf280 in process_subq bgpd/bgp_route.c:3955 > #10 0x560f8c0bf320 in meta_queue_process bgpd/bgp_route.c:3980 > #11 0x7fd44759fdfc in work_queue_run lib/workqueue.c:282 > #12 0x7fd4475779b2 in event_call lib/event.c:2011 > #13 0x7fd447442ff1 in frr_run lib/libfrr.c:1216 > #14 0x560f8bef0a15 in main bgpd/bgp_main.c:545 > #15 0x7fd446e29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > > Direct leak of 4 byte(s) in 1 object(s) allocated from: > #0 0x7fd447ab4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 > #1 0x7fd44746f8dd in qcalloc lib/memory.c:105 > #2 0x560f8c080cec in bgp_pbr_extract_enumerate_unary bgpd/bgp_pbr.c:362 > #3 0x560f8c080f7e in bgp_pbr_extract_enumerate bgpd/bgp_pbr.c:400 > #4 0x560f8c09443d in bgp_pbr_handle_entry bgpd/bgp_pbr.c:2813 > #5 0x560f8c095993 in bgp_pbr_update_entry bgpd/bgp_pbr.c:2941 > #6 0x560f8c2164f3 in bgp_zebra_announce bgpd/bgp_zebra.c:1618 > #7 0x560f8c0bd668 in bgp_process_main_one bgpd/bgp_route.c:3691 > #8 0x560f8c0be7fe in process_subq_other_route bgpd/bgp_route.c:3856 > #9 0x560f8c0bf280 in process_subq bgpd/bgp_route.c:3955 > #10 0x560f8c0bf320 in meta_queue_process bgpd/bgp_route.c:3980 > #11 0x7fd44759fdfc in work_queue_run lib/workqueue.c:282 > #12 0x7fd4475779b2 in event_call lib/event.c:2011 > #13 0x7fd447442ff1 in frr_run lib/libfrr.c:1216 > #14 0x560f8bef0a15 in main bgpd/bgp_main.c:545 > #15 0x7fd446e29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>
NetDEF-CI
pushed a commit
that referenced
this pull request
Apr 16, 2025
Seen with isis_srv6_topo1 topotest. > ==178793==ERROR: LeakSanitizer: detected memory leaks > > Direct leak of 56 byte(s) in 1 object(s) allocated from: > #0 0x7f3f63cb4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 > #1 0x7f3f6366f8dd in qcalloc lib/memory.c:105 > #2 0x561b810c62b7 in isis_srv6_sid_alloc isisd/isis_srv6.c:243 > #3 0x561b8111f944 in isis_zebra_srv6_sid_notify isisd/isis_zebra.c:1534 > #4 0x7f3f637df9d7 in zclient_read lib/zclient.c:4845 > #5 0x7f3f637779b2 in event_call lib/event.c:2011 > #6 0x7f3f63642ff1 in frr_run lib/libfrr.c:1216 > #7 0x561b81018bf2 in main isisd/isis_main.c:360 > #8 0x7f3f63029d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Fixes: 0af0f46 ("isisd: Receive SRv6 SIDs notifications from zebra") Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>
NetDEF-CI
pushed a commit
that referenced
this pull request
Apr 29, 2025
A heap use after free when enabling bmp mirror on a non connected BMP target. > Apr 22 14:06:49 vRR-DUT systemd[1]: Started bfdd. > Apr 22 14:06:51 vRR-DUT bgpd[1522]: [VTCF0-ZHP6C] bmp: missing TX OPEN message for peer Static announcement > Apr 22 14:06:51 vRR-DUT bgpd[1522]: [K3RM9-4A4HY] bmp: missing RX OPEN message for peer Static announcement > Apr 22 14:06:52 vRR-DUT bgpd[1522]: ================================================================= > Apr 22 14:06:52 vRR-DUT bgpd[1522]: ==1522==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f0000321d0 at pc 0x7fe7f11c548e bp 0x7fff49f80d40 sp 0x7fff49f80d30 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: READ of size 8 at 0x60f0000321d0 thread T0 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #0 0x7fe7f11c548d in typesafe_list_add /build/make-pkg/output/_packages/cp-routing/src/lib/typesafe.h:161 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #1 0x7fe7f11c9347 in bmp_mirrorq_add_tail /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_bmp.c:116 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #2 0x7fe7f11d030f in bmp_mirror_packet /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_bmp.c:867 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #3 0x55c756de3e20 in hook_call_bgp_packet_dump /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_packet.c:55 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #4 0x55c756dfd5ea in bgp_process_packet /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_packet.c:3699 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #5 0x7fe7f5375237 in event_call (/lib/x86_64-linux-gnu/libfrr.so.0+0x375237) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #6 0x7fe7f5242ecf in frr_run (/lib/x86_64-linux-gnu/libfrr.so.0+0x242ecf) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #7 0x55c756c71804 in main /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_main.c:545 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #8 0x7fe7f4c29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #9 0x7fe7f4c29e3f in __libc_start_main_impl ../csu/libc-start.c:392 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #10 0x55c756c6e384 in _start (/usr/bin/bgpd+0x272384) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x60f0000321d0 is located 0 bytes inside of 162-byte region [0x60f0000321d0,0x60f000032272) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: freed by thread T0 here: > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #0 0x7fe7f58b4537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #1 0x7fe7f526f918 in qfree (/lib/x86_64-linux-gnu/libfrr.so.0+0x26f918) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #2 0x7fe7f11d057b in bmp_mirror_packet /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_bmp.c:875 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #3 0x55c756de3e20 in hook_call_bgp_packet_dump /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_packet.c:55 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #4 0x55c756dfd5ea in bgp_process_packet /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_packet.c:3699 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #5 0x7fe7f5375237 in event_call (/lib/x86_64-linux-gnu/libfrr.so.0+0x375237) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #6 0x7fe7f5242ecf in frr_run (/lib/x86_64-linux-gnu/libfrr.so.0+0x242ecf) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #7 0x55c756c71804 in main /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_main.c:545 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #8 0x7fe7f4c29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: previously allocated by thread T0 here: > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #0 0x7fe7f58b4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #1 0x7fe7f526f7c6 in qcalloc (/lib/x86_64-linux-gnu/libfrr.so.0+0x26f7c6) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #2 0x7fe7f11cfd38 in bmp_mirror_packet /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_bmp.c:835 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #3 0x55c756de3e20 in hook_call_bgp_packet_dump /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_packet.c:55 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #4 0x55c756dfd5ea in bgp_process_packet /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_packet.c:3699 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #5 0x7fe7f5375237 in event_call (/lib/x86_64-linux-gnu/libfrr.so.0+0x375237) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #6 0x7fe7f5242ecf in frr_run (/lib/x86_64-linux-gnu/libfrr.so.0+0x242ecf) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #7 0x55c756c71804 in main /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_main.c:545 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #8 0x7fe7f4c29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: SUMMARY: AddressSanitizer: heap-use-after-free /build/make-pkg/output/_packages/cp-routing/src/lib/typesafe.h:161 in typesafe_list_add > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Shadow bytes around the buggy address: > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe3e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe3f0: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa 00 00 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe410: 00 00 00 00 fa fa fa fa fa fa fa fa 00 00 00 00 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: =>0x0c1e7fffe430: 00 fa fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe440: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Shadow byte legend (one shadow byte represents 8 application bytes): > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Addressable: 00 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Partially addressable: 01 02 03 04 05 06 07 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Heap left redzone: fa > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Freed heap region: fd > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Stack left redzone: f1 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Stack mid redzone: f2 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Stack right redzone: f3 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Stack after return: f5 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Stack use after scope: f8 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Global redzone: f9 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Global init order: f6 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Poisoned by user: f7 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Container overflow: fc > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Array cookie: ac > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Intra object redzone: bb > Apr 22 14:06:52 vRR-DUT bgpd[1522]: ASan internal: fe > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Left alloca redzone: ca > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Right alloca redzone: cb > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Shadow gap: cc > Apr 22 14:06:52 vRR-DUT bgpd[1522]: ==1522==ABORTING > Apr 22 14:06:52 vRR-DUT yams[449]: CONFIG: [{'name': 'ttyS0'}] > Apr 22 14:06:52 vRR-DUT zebra[652]: [GE156-FS0MJ][EC 100663299] stream_read_try: read failed on fd 50: Connection reset by peer > Apr 22 14:06:52 vRR-DUT systemd[1]: bgpd.service: Main process exited, code=exited, status=1/FAILURE > Apr 22 14:06:52 vRR-DUT zebra[652]: [GE156-FS0MJ][EC 100663299] stream_read_try: read failed on fd 39: Connection reset by peer > Apr 22 14:06:52 vRR-DUT systemd[1]: bgpd.service: Failed with result 'exit-code'. > Apr 22 14:06:52 vRR-DUT zebra[652]: [N5M5Y-J5BPG][EC 4043309121] Client 'bgp' (session id 0) encountered an error and is shutting down. > Apr 22 14:06:52 vRR-DUT systemd[1]: bgpd.service: Consumed 2.361s CPU time. > Apr 22 14:06:52 vRR-DUT zebra[652]: [N5M5Y-J5BPG][EC 4043309121] Client 'bgp' (session id 1) encountered an error and is shutting down. > Apr 22 14:06:52 vRR-DUT zebra[652]: [JPSA8-5KYEA] client 39 disconnected 0 bgp routes removed from the rib > Apr 22 14:06:52 vRR-DUT zebra[652]: [S929C-NZR3N] client 39 disconnected 0 bgp nhgs removed from the rib > Apr 22 14:06:52 vRR-DUT zebra[652]: [KQB7H-NPVW9] /build/make-pkg/output/_packages/cp-routing/src/zebra/zebra_ptm.c:1285 failed to find process pid registration > Apr 22 14:06:52 vRR-DUT zebra[652]: [JPSA8-5KYEA] client 50 disconnected 0 bgp routes removed from the rib > Apr 22 14:06:52 vRR-DUT zebra[652]: [S929C-NZR3N] client 50 disconnected 0 bgp nhgs removed from the rib > Do not enqueue item in the mirror queue if no reference count has been found in the connection list. Fixes: b1ebe54 ("bgpd: bmp, handle imported bgp instances in bmp_mirror") Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
NetDEF-CI
pushed a commit
that referenced
this pull request
May 13, 2025
Issue:
When we have bgp peer-group, and prefix are advertised to the
peers in it correctly, it still shows Not advertised to any peer
Fix:
1)Rearranged code, to show 1st non peer-group advertised state
2)Then show peer-group peers
Testing:
router bgp 1001
no bgp ebgp-requires-policy
read-quanta 1
timers bgp 5 60
neighbor nbr_grp1 peer-group
neighbor nbr_grp1 remote-as external
neighbor nbr_grp2 peer-group
neighbor nbr_grp2 remote-as external
neighbor nbr_grp3 peer-group
neighbor nbr_grp3 remote-as external
neighbor 2001:db8:2:252::2 peer-group nbr_grp1
neighbor 2001:db8:2:254::2 peer-group nbr_grp1
neighbor 2001:db8:2:255::2 peer-group nbr_grp1
neighbor 2001:db8:2:253::2 peer-group nbr_grp2
neighbor 2001:db8:3:1::2 peer-group nbr_grp2
neighbor 2001:db8:3:2::2 peer-group nbr_grp3
neighbor 2001:db8:3:3::2 peer-group nbr_grp3
neighbor 2001:db8:3:4::2 peer-group nbr_grp3
neighbor 2001:db8:1:1::2 remote-as external
!
address-family ipv6 unicast
redistribute sharp
neighbor nbr_grp1 activate
neighbor nbr_grp2 activate
neighbor nbr_grp3 activate
neighbor 2001:db8:1:1::2 activate
exit-address-family
exit
!
end
sh bgp ipv6 unicast
BGP table version is 1, local router ID is 192.168.1.1, vrf id 0
Default local pref 100, local AS 1001
Status codes: s suppressed, d damped, h history, u unsorted, * valid, > best, = multipath,
i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 2100:cafe::/128 2001:db8::1 0 32768 ?
Displayed 1 routes and 1 total paths
r1# sh bgp ipv6 unicast 2100:cafe::/128
BGP routing table entry for 2100:cafe::/128, version 1
Paths: (1 available, best #1, table default)
Advertised to non peer-group peers:
2001:db8:1:1::2
Advertised to peer-group nbr_grp1 peers:
2001:db8:2:252::2 2001:db8:2:254::2 2001:db8:2:255::2
Advertised to peer-group nbr_grp2 peers:
2001:db8:2:253::2 2001:db8:3:1::2
Advertised to peer-group nbr_grp3 peers:
2001:db8:3:2::2 2001:db8:3:3::2 2001:db8:3:4::2
Local
2001:db8::1 from :: (192.168.1.1)
Origin incomplete, metric 0, weight 32768, valid, sourced, best (First path received)
Last update: Sat Apr 5 20:29:31 2025
1# sh bgp ipv6 unicast 2100:cafe::/128 json
{
"prefix":"2100:cafe::/128",
"version":1,
"advertisedTo":{
"2001:db8:1:1::2":{
"hostname":"r2"
},
"2001:db8:2:252::2":{
"hostname":"r2"
},
"2001:db8:2:254::2":{
"hostname":"r2"
},
"2001:db8:2:255::2":{
"hostname":"r2"
},
"2001:db8:2:253::2":{
"hostname":"r2"
},
"2001:db8:3:1::2":{
"hostname":"r2"
},
"2001:db8:3:2::2":{
"hostname":"r2"
},
"2001:db8:3:3::2":{
"hostname":"r2"
},
"2001:db8:3:4::2":{
"hostname":"r2"
}
},
"paths":[
{
"aspath":{
"string":"Local",
"segments":[
],
"length":0
},
"origin":"incomplete",
"metric":0,
"weight":32768,
"valid":true,
"version":1,
"sourced":true,
"bestpath":{
"overall":true,
"selectionReason":"First path received"
},
"lastUpdate":{
"epoch":1743884971,
"string":"Sat Apr 5 20:29:31 2025"
},
"fibInstalled":true,
"nexthops":[
{
"ip":"2001:db8::1",
"hostname":"r1",
"afi":"ipv6",
"scope":"global",
"linkLocalOnly":false,
"length":16,
"metric":0,
"accessible":true,
"used":true
}
],
"peer":{
"peerId":"::",
"routerId":"192.168.1.1"
}
}
]
}
r1#
Signed-off-by: Soumya Roy <souroy@nvidia.com>
NetDEF-CI
pushed a commit
that referenced
this pull request
May 13, 2025
Currently peer group name is not displayed in show bgp vty output and also in json output. This fix adds those information in show bgp command test: BGP routing table entry for 192.168.251.0/30, version 1 Paths: (1 available, best #1, table default) Advertised to peers: 192.168.255.3 192.168.251.2 192.168.252.2 r1-eth0 Local 0.0.0.0 from 0.0.0.0 (192.168.255.1) Origin incomplete, metric 0, weight 32768, valid, sourced, best (First path received) Last update: Tue Apr 29 17:28:02 2025 BGP advertisement output json: { "prefix":"192.168.251.0/30", "version":1, "advertisedTo":{ "192.168.255.3":{ "hostname":"r3", "peerGroup":"PG" }, "192.168.251.2":{ "hostname":"r2", "peerGroup":"PG2" }, "192.168.252.2":{ "hostname":"r4", "peerGroup":"PG2" }, "r1-eth0":{ "hostname":"r2" } }, "paths":[ { "aspath":{ "string":"Local", "segments":[ ], "length":0 }, "origin":"incomplete", "metric":0, "weight":32768, "valid":true, "version":1, "sourced":true, "bestpath":{ "overall":true, "selectionReason":"First path received" }, "lastUpdate":{ "epoch":1744926043, "string":"Thu Apr 17 21:40:43 2025" }, "fibInstalled":true, "nexthops":[ { "ip":"0.0.0.0", "hostname":"r1", "afi":"ipv4", "metric":0, "accessible":true, "used":true } ], "peer":{ "peerId":"0.0.0.0", "routerId":"192.168.255.1" } } ] } Signed-off-by: Soumya Roy <souroy@nvidia.com>
ton31337
pushed a commit
that referenced
this pull request
May 20, 2025
Seen with isis_srv6_topo1 topotest. > ==178793==ERROR: LeakSanitizer: detected memory leaks > > Direct leak of 56 byte(s) in 1 object(s) allocated from: > #0 0x7f3f63cb4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 > #1 0x7f3f6366f8dd in qcalloc lib/memory.c:105 > #2 0x561b810c62b7 in isis_srv6_sid_alloc isisd/isis_srv6.c:243 > #3 0x561b8111f944 in isis_zebra_srv6_sid_notify isisd/isis_zebra.c:1534 > #4 0x7f3f637df9d7 in zclient_read lib/zclient.c:4845 > #5 0x7f3f637779b2 in event_call lib/event.c:2011 > #6 0x7f3f63642ff1 in frr_run lib/libfrr.c:1216 > #7 0x561b81018bf2 in main isisd/isis_main.c:360 > #8 0x7f3f63029d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Fixes: 0af0f46 ("isisd: Receive SRv6 SIDs notifications from zebra") Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com> (cherry picked from commit 25c813a)
ton31337
pushed a commit
that referenced
this pull request
May 20, 2025
A heap use after free when enabling bmp mirror on a non connected BMP target. > Apr 22 14:06:49 vRR-DUT systemd[1]: Started bfdd. > Apr 22 14:06:51 vRR-DUT bgpd[1522]: [VTCF0-ZHP6C] bmp: missing TX OPEN message for peer Static announcement > Apr 22 14:06:51 vRR-DUT bgpd[1522]: [K3RM9-4A4HY] bmp: missing RX OPEN message for peer Static announcement > Apr 22 14:06:52 vRR-DUT bgpd[1522]: ================================================================= > Apr 22 14:06:52 vRR-DUT bgpd[1522]: ==1522==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f0000321d0 at pc 0x7fe7f11c548e bp 0x7fff49f80d40 sp 0x7fff49f80d30 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: READ of size 8 at 0x60f0000321d0 thread T0 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #0 0x7fe7f11c548d in typesafe_list_add /build/make-pkg/output/_packages/cp-routing/src/lib/typesafe.h:161 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #1 0x7fe7f11c9347 in bmp_mirrorq_add_tail /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_bmp.c:116 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #2 0x7fe7f11d030f in bmp_mirror_packet /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_bmp.c:867 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #3 0x55c756de3e20 in hook_call_bgp_packet_dump /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_packet.c:55 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #4 0x55c756dfd5ea in bgp_process_packet /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_packet.c:3699 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #5 0x7fe7f5375237 in event_call (/lib/x86_64-linux-gnu/libfrr.so.0+0x375237) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #6 0x7fe7f5242ecf in frr_run (/lib/x86_64-linux-gnu/libfrr.so.0+0x242ecf) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #7 0x55c756c71804 in main /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_main.c:545 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #8 0x7fe7f4c29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #9 0x7fe7f4c29e3f in __libc_start_main_impl ../csu/libc-start.c:392 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #10 0x55c756c6e384 in _start (/usr/bin/bgpd+0x272384) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x60f0000321d0 is located 0 bytes inside of 162-byte region [0x60f0000321d0,0x60f000032272) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: freed by thread T0 here: > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #0 0x7fe7f58b4537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #1 0x7fe7f526f918 in qfree (/lib/x86_64-linux-gnu/libfrr.so.0+0x26f918) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #2 0x7fe7f11d057b in bmp_mirror_packet /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_bmp.c:875 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #3 0x55c756de3e20 in hook_call_bgp_packet_dump /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_packet.c:55 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #4 0x55c756dfd5ea in bgp_process_packet /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_packet.c:3699 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #5 0x7fe7f5375237 in event_call (/lib/x86_64-linux-gnu/libfrr.so.0+0x375237) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #6 0x7fe7f5242ecf in frr_run (/lib/x86_64-linux-gnu/libfrr.so.0+0x242ecf) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #7 0x55c756c71804 in main /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_main.c:545 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #8 0x7fe7f4c29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: previously allocated by thread T0 here: > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #0 0x7fe7f58b4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #1 0x7fe7f526f7c6 in qcalloc (/lib/x86_64-linux-gnu/libfrr.so.0+0x26f7c6) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #2 0x7fe7f11cfd38 in bmp_mirror_packet /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_bmp.c:835 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #3 0x55c756de3e20 in hook_call_bgp_packet_dump /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_packet.c:55 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #4 0x55c756dfd5ea in bgp_process_packet /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_packet.c:3699 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #5 0x7fe7f5375237 in event_call (/lib/x86_64-linux-gnu/libfrr.so.0+0x375237) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #6 0x7fe7f5242ecf in frr_run (/lib/x86_64-linux-gnu/libfrr.so.0+0x242ecf) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #7 0x55c756c71804 in main /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_main.c:545 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #8 0x7fe7f4c29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: SUMMARY: AddressSanitizer: heap-use-after-free /build/make-pkg/output/_packages/cp-routing/src/lib/typesafe.h:161 in typesafe_list_add > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Shadow bytes around the buggy address: > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe3e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe3f0: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa 00 00 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe410: 00 00 00 00 fa fa fa fa fa fa fa fa 00 00 00 00 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: =>0x0c1e7fffe430: 00 fa fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe440: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Shadow byte legend (one shadow byte represents 8 application bytes): > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Addressable: 00 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Partially addressable: 01 02 03 04 05 06 07 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Heap left redzone: fa > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Freed heap region: fd > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Stack left redzone: f1 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Stack mid redzone: f2 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Stack right redzone: f3 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Stack after return: f5 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Stack use after scope: f8 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Global redzone: f9 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Global init order: f6 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Poisoned by user: f7 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Container overflow: fc > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Array cookie: ac > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Intra object redzone: bb > Apr 22 14:06:52 vRR-DUT bgpd[1522]: ASan internal: fe > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Left alloca redzone: ca > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Right alloca redzone: cb > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Shadow gap: cc > Apr 22 14:06:52 vRR-DUT bgpd[1522]: ==1522==ABORTING > Apr 22 14:06:52 vRR-DUT yams[449]: CONFIG: [{'name': 'ttyS0'}] > Apr 22 14:06:52 vRR-DUT zebra[652]: [GE156-FS0MJ][EC 100663299] stream_read_try: read failed on fd 50: Connection reset by peer > Apr 22 14:06:52 vRR-DUT systemd[1]: bgpd.service: Main process exited, code=exited, status=1/FAILURE > Apr 22 14:06:52 vRR-DUT zebra[652]: [GE156-FS0MJ][EC 100663299] stream_read_try: read failed on fd 39: Connection reset by peer > Apr 22 14:06:52 vRR-DUT systemd[1]: bgpd.service: Failed with result 'exit-code'. > Apr 22 14:06:52 vRR-DUT zebra[652]: [N5M5Y-J5BPG][EC 4043309121] Client 'bgp' (session id 0) encountered an error and is shutting down. > Apr 22 14:06:52 vRR-DUT systemd[1]: bgpd.service: Consumed 2.361s CPU time. > Apr 22 14:06:52 vRR-DUT zebra[652]: [N5M5Y-J5BPG][EC 4043309121] Client 'bgp' (session id 1) encountered an error and is shutting down. > Apr 22 14:06:52 vRR-DUT zebra[652]: [JPSA8-5KYEA] client 39 disconnected 0 bgp routes removed from the rib > Apr 22 14:06:52 vRR-DUT zebra[652]: [S929C-NZR3N] client 39 disconnected 0 bgp nhgs removed from the rib > Apr 22 14:06:52 vRR-DUT zebra[652]: [KQB7H-NPVW9] /build/make-pkg/output/_packages/cp-routing/src/zebra/zebra_ptm.c:1285 failed to find process pid registration > Apr 22 14:06:52 vRR-DUT zebra[652]: [JPSA8-5KYEA] client 50 disconnected 0 bgp routes removed from the rib > Apr 22 14:06:52 vRR-DUT zebra[652]: [S929C-NZR3N] client 50 disconnected 0 bgp nhgs removed from the rib > Do not enqueue item in the mirror queue if no reference count has been found in the connection list. Fixes: b1ebe54 ("bgpd: bmp, handle imported bgp instances in bmp_mirror") Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com> (cherry picked from commit 02da52d)
ton31337
pushed a commit
that referenced
this pull request
May 20, 2025
Seen with isis_srv6_topo1 topotest. > ==178793==ERROR: LeakSanitizer: detected memory leaks > > Direct leak of 56 byte(s) in 1 object(s) allocated from: > #0 0x7f3f63cb4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 > #1 0x7f3f6366f8dd in qcalloc lib/memory.c:105 > #2 0x561b810c62b7 in isis_srv6_sid_alloc isisd/isis_srv6.c:243 > #3 0x561b8111f944 in isis_zebra_srv6_sid_notify isisd/isis_zebra.c:1534 > #4 0x7f3f637df9d7 in zclient_read lib/zclient.c:4845 > #5 0x7f3f637779b2 in event_call lib/event.c:2011 > #6 0x7f3f63642ff1 in frr_run lib/libfrr.c:1216 > #7 0x561b81018bf2 in main isisd/isis_main.c:360 > #8 0x7f3f63029d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Fixes: 0af0f46 ("isisd: Receive SRv6 SIDs notifications from zebra") Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com> (cherry picked from commit 25c813a)
NetDEF-CI
pushed a commit
that referenced
this pull request
Jun 5, 2025
Seen with bfd_vrf_topo1, and bgp_evpn_rt5 on Ubuntu 22.04 hwe. Do not call ns_delete() from zebra_vrf_delete(), which calls zebra_ns_delete(). - If a netns is removed from the system, vrf_delete()->zebra_vrf_delete() is called before calling ns_delete() (see zebra_ns_notify.c). - If zebra is terminating, zebra_ns_final_shutdown() will call zebra_vrf_delete(). > ==616172==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160000ae3a4 at pc 0x556cdc178d8f bp 0x7ffe4f41ace0 sp 0x7ffe4f41acd0 > READ of size 4 at 0x6160000ae3a4 thread T0 > #0 0x556cdc178d8e in ctx_info_from_zns zebra/zebra_dplane.c:3394 > #1 0x556cdc178f55 in dplane_ctx_ns_init zebra/zebra_dplane.c:3410 > #2 0x556cdc17b829 in dplane_ctx_nexthop_init zebra/zebra_dplane.c:3759 > #3 0x556cdc18095f in dplane_nexthop_update_internal zebra/zebra_dplane.c:4566 > #4 0x556cdc1813f1 in dplane_nexthop_delete zebra/zebra_dplane.c:4793 > #5 0x556cdc229234 in zebra_nhg_uninstall_kernel zebra/zebra_nhg.c:3484 > #6 0x556cdc21f8fe in zebra_nhg_decrement_ref zebra/zebra_nhg.c:1804 > #7 0x556cdc24b05a in route_entry_update_nhe zebra/zebra_rib.c:456 > #8 0x556cdc255083 in rib_re_nhg_free zebra/zebra_rib.c:2633 > #9 0x556cdc25e3bb in rib_unlink zebra/zebra_rib.c:4049 > #10 0x556cdc24c9b0 in zebra_rtable_node_cleanup zebra/zebra_rib.c:903 > #11 0x7fb25c173144 in route_node_free lib/table.c:75 > #12 0x7fb25c17337f in route_table_free lib/table.c:111 > #13 0x7fb25c172fe4 in route_table_finish lib/table.c:46 > #14 0x556cdc266f62 in zebra_router_free_table zebra/zebra_router.c:191 > #15 0x556cdc2673ef in zebra_router_terminate zebra/zebra_router.c:243 > #16 0x556cdc10638b in zebra_finalize zebra/main.c:240 > #17 0x7fb25c18e012 in event_call lib/event.c:2019 > #18 0x7fb25c04afc6 in frr_run lib/libfrr.c:1247 > #19 0x556cdc106deb in main zebra/main.c:543 > #20 0x7fb25ba29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > #21 0x7fb25ba29e3f in __libc_start_main_impl ../csu/libc-start.c:392 > #22 0x556cdc0c7ed4 in _start (/usr/lib/frr/zebra+0x192ed4) > > 0x6160000ae3a4 is located 36 bytes inside of 592-byte region [0x6160000ae380,0x6160000ae5d0) > freed by thread T0 here: > #0 0x7fb25c6b4537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127 > #1 0x7fb25c0790e3 in qfree lib/memory.c:131 > #2 0x556cdc22d9c9 in zebra_ns_delete zebra/zebra_ns.c:261 > #3 0x7fb25c0ac400 in ns_delete lib/netns_linux.c:319 > #4 0x556cdc28026a in zebra_vrf_delete zebra/zebra_vrf.c:343 > #5 0x7fb25c197443 in vrf_delete lib/vrf.c:282 > #6 0x7fb25c1987e8 in vrf_terminate_single lib/vrf.c:601 > #7 0x7fb25c197a7a in vrf_iterate lib/vrf.c:394 > #8 0x7fb25c198834 in vrf_terminate lib/vrf.c:609 > #9 0x556cdc106345 in zebra_finalize zebra/main.c:223 > #10 0x7fb25c18e012 in event_call lib/event.c:2019 > #11 0x7fb25c04afc6 in frr_run lib/libfrr.c:1247 > #12 0x556cdc106deb in main zebra/main.c:543 > #13 0x7fb25ba29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > > previously allocated by thread T0 here: > #0 0x7fb25c6b4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 > #1 0x7fb25c078f91 in qcalloc lib/memory.c:106 > #2 0x556cdc22d6a1 in zebra_ns_new zebra/zebra_ns.c:231 > #3 0x556cdc22e30b in zebra_ns_init zebra/zebra_ns.c:429 > #4 0x556cdc106cec in main zebra/main.c:480 > #5 0x7fb25ba29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > > SUMMARY: AddressSanitizer: heap-use-after-free zebra/zebra_dplane.c:3394 in ctx_info_from_zns Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com> Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
NetDEF-CI
pushed a commit
that referenced
this pull request
Jun 16, 2025
A crash is detected on an invalid memory access to the 0x0 address zone. > #0 __pthread_kill_implementation (no_tid=0, signo=11, threadid=130889386464320) > at ./nptl/pthread_kill.c:44 > #1 __pthread_kill_internal (signo=11, threadid=130889386464320) at ./nptl/pthread_kill.c:78 > #2 __GI___pthread_kill (threadid=130889386464320, signo=signo@entry=11) at ./nptl/pthread_kill.c:89 > #3 0x0000770b0f042476 in __GI_raise (sig=11) at ../sysdeps/posix/raise.c:26 > #4 0x0000770b0f507846 in core_handler (signo=11, siginfo=0x7ffd4f7ec9f0, context=0x7ffd4f7ec8c0) > at /build/make-pkg/output/_packages/cp-routing/src/lib/sigevent.c:262 > #5 <signal handler called> > #6 __memmove_evex_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:339 > #7 0x0000770b0f50bb54 in sockunion_set (su=0x7ffd4f7ed7b0, family=2, addr=0x0, bytes=4) > at /build/make-pkg/output/_packages/cp-routing/src/lib/sockunion.c:500 > #8 0x00005f75d5430817 in nhrp_cie_pull (zb=0x5f75f262c4d0, hdr=0x5f75f2627dd8, nbma=0x7ffd4f7ed6d0, > proto=0x7ffd4f7ed7b0) at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_packet.c:180 > #9 0x00005f75d5434652 in nhrp_peer_forward (p=0x5f75f2605f30, pp=0x7ffd4f7ed8c0) > at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_peer.c:1050 > #10 0x00005f75d54356cb in nhrp_peer_recv (p=0x5f75f2605f30, zb=0x5f75f2627da0) > at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_peer.c:1341 > #11 0x00005f75d5430d8e in nhrp_packet_recvraw (t=0x7ffd4f7ede80) > at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_packet.c:332 > #12 0x0000770b0f521188 in thread_call (thread=0x7ffd4f7ede80) > at /build/make-pkg/output/_packages/cp-routing/src/lib/thread.c:1825 > #13 0x0000770b0f4b7737 in frr_run (master=0x5f75f2440570) > at /build/make-pkg/output/_packages/cp-routing/src/lib/libfrr.c:1155 > #14 0x00005f75d542d2b4 in main (argc=3, argv=0x7ffd4f7ee0b8) > at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_main.c:317 The incoming nhrp packet is too short, and the call to sockunion_set() uses a 0x0 memory zone, because the whole nhrp packet has been parsed, and the zbuf length used was 0. Fix this by detecting the zbuf remaining length before calling sockunion_set. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
NetDEF-CI
pushed a commit
that referenced
this pull request
Jun 16, 2025
A crash is detected on an invalid memory access to the 0x0 address zone. > #0 __pthread_kill_implementation (no_tid=0, signo=11, threadid=130889386464320) > at ./nptl/pthread_kill.c:44 > #1 __pthread_kill_internal (signo=11, threadid=130889386464320) at ./nptl/pthread_kill.c:78 > #2 __GI___pthread_kill (threadid=130889386464320, signo=signo@entry=11) at ./nptl/pthread_kill.c:89 > #3 0x0000770b0f042476 in __GI_raise (sig=11) at ../sysdeps/posix/raise.c:26 > #4 0x0000770b0f507846 in core_handler (signo=11, siginfo=0x7ffd4f7ec9f0, context=0x7ffd4f7ec8c0) > at /build/make-pkg/output/_packages/cp-routing/src/lib/sigevent.c:262 > #5 <signal handler called> > #6 __memmove_evex_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:339 > #7 0x0000770b0f50bb54 in sockunion_set (su=0x7ffd4f7ed7b0, family=2, addr=0x0, bytes=4) > at /build/make-pkg/output/_packages/cp-routing/src/lib/sockunion.c:500 > #8 0x00005f75d5430817 in nhrp_cie_pull (zb=0x5f75f262c4d0, hdr=0x5f75f2627dd8, nbma=0x7ffd4f7ed6d0, > proto=0x7ffd4f7ed7b0) at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_packet.c:180 > #9 0x00005f75d5434652 in nhrp_peer_forward (p=0x5f75f2605f30, pp=0x7ffd4f7ed8c0) > at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_peer.c:1050 > #10 0x00005f75d54356cb in nhrp_peer_recv (p=0x5f75f2605f30, zb=0x5f75f2627da0) > at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_peer.c:1341 > #11 0x00005f75d5430d8e in nhrp_packet_recvraw (t=0x7ffd4f7ede80) > at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_packet.c:332 > #12 0x0000770b0f521188 in thread_call (thread=0x7ffd4f7ede80) > at /build/make-pkg/output/_packages/cp-routing/src/lib/thread.c:1825 > #13 0x0000770b0f4b7737 in frr_run (master=0x5f75f2440570) > at /build/make-pkg/output/_packages/cp-routing/src/lib/libfrr.c:1155 > #14 0x00005f75d542d2b4 in main (argc=3, argv=0x7ffd4f7ee0b8) > at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_main.c:317 The incoming nhrp packet is too short, and the call to sockunion_set() uses a 0x0 memory zone, because the whole nhrp packet has been parsed, and the zbuf length used was 0. Fix this by detecting the zbuf remaining length before calling sockunion_set. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com> (cherry picked from commit 30e479e)
NetDEF-CI
pushed a commit
that referenced
this pull request
Jun 16, 2025
A crash is detected on an invalid memory access to the 0x0 address zone. > #0 __pthread_kill_implementation (no_tid=0, signo=11, threadid=130889386464320) > at ./nptl/pthread_kill.c:44 > #1 __pthread_kill_internal (signo=11, threadid=130889386464320) at ./nptl/pthread_kill.c:78 > #2 __GI___pthread_kill (threadid=130889386464320, signo=signo@entry=11) at ./nptl/pthread_kill.c:89 > #3 0x0000770b0f042476 in __GI_raise (sig=11) at ../sysdeps/posix/raise.c:26 > #4 0x0000770b0f507846 in core_handler (signo=11, siginfo=0x7ffd4f7ec9f0, context=0x7ffd4f7ec8c0) > at /build/make-pkg/output/_packages/cp-routing/src/lib/sigevent.c:262 > #5 <signal handler called> > #6 __memmove_evex_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:339 > #7 0x0000770b0f50bb54 in sockunion_set (su=0x7ffd4f7ed7b0, family=2, addr=0x0, bytes=4) > at /build/make-pkg/output/_packages/cp-routing/src/lib/sockunion.c:500 > #8 0x00005f75d5430817 in nhrp_cie_pull (zb=0x5f75f262c4d0, hdr=0x5f75f2627dd8, nbma=0x7ffd4f7ed6d0, > proto=0x7ffd4f7ed7b0) at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_packet.c:180 > #9 0x00005f75d5434652 in nhrp_peer_forward (p=0x5f75f2605f30, pp=0x7ffd4f7ed8c0) > at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_peer.c:1050 > #10 0x00005f75d54356cb in nhrp_peer_recv (p=0x5f75f2605f30, zb=0x5f75f2627da0) > at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_peer.c:1341 > #11 0x00005f75d5430d8e in nhrp_packet_recvraw (t=0x7ffd4f7ede80) > at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_packet.c:332 > #12 0x0000770b0f521188 in thread_call (thread=0x7ffd4f7ede80) > at /build/make-pkg/output/_packages/cp-routing/src/lib/thread.c:1825 > #13 0x0000770b0f4b7737 in frr_run (master=0x5f75f2440570) > at /build/make-pkg/output/_packages/cp-routing/src/lib/libfrr.c:1155 > #14 0x00005f75d542d2b4 in main (argc=3, argv=0x7ffd4f7ee0b8) > at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_main.c:317 The incoming nhrp packet is too short, and the call to sockunion_set() uses a 0x0 memory zone, because the whole nhrp packet has been parsed, and the zbuf length used was 0. Fix this by detecting the zbuf remaining length before calling sockunion_set. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com> (cherry picked from commit 30e479e)
ton31337
pushed a commit
that referenced
this pull request
Jun 19, 2025
A crash is detected on an invalid memory access to the 0x0 address zone. > #0 __pthread_kill_implementation (no_tid=0, signo=11, threadid=130889386464320) > at ./nptl/pthread_kill.c:44 > #1 __pthread_kill_internal (signo=11, threadid=130889386464320) at ./nptl/pthread_kill.c:78 > #2 __GI___pthread_kill (threadid=130889386464320, signo=signo@entry=11) at ./nptl/pthread_kill.c:89 > #3 0x0000770b0f042476 in __GI_raise (sig=11) at ../sysdeps/posix/raise.c:26 > #4 0x0000770b0f507846 in core_handler (signo=11, siginfo=0x7ffd4f7ec9f0, context=0x7ffd4f7ec8c0) > at /build/make-pkg/output/_packages/cp-routing/src/lib/sigevent.c:262 > #5 <signal handler called> > #6 __memmove_evex_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:339 > #7 0x0000770b0f50bb54 in sockunion_set (su=0x7ffd4f7ed7b0, family=2, addr=0x0, bytes=4) > at /build/make-pkg/output/_packages/cp-routing/src/lib/sockunion.c:500 > #8 0x00005f75d5430817 in nhrp_cie_pull (zb=0x5f75f262c4d0, hdr=0x5f75f2627dd8, nbma=0x7ffd4f7ed6d0, > proto=0x7ffd4f7ed7b0) at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_packet.c:180 > #9 0x00005f75d5434652 in nhrp_peer_forward (p=0x5f75f2605f30, pp=0x7ffd4f7ed8c0) > at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_peer.c:1050 > #10 0x00005f75d54356cb in nhrp_peer_recv (p=0x5f75f2605f30, zb=0x5f75f2627da0) > at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_peer.c:1341 > #11 0x00005f75d5430d8e in nhrp_packet_recvraw (t=0x7ffd4f7ede80) > at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_packet.c:332 > #12 0x0000770b0f521188 in thread_call (thread=0x7ffd4f7ede80) > at /build/make-pkg/output/_packages/cp-routing/src/lib/thread.c:1825 > #13 0x0000770b0f4b7737 in frr_run (master=0x5f75f2440570) > at /build/make-pkg/output/_packages/cp-routing/src/lib/libfrr.c:1155 > #14 0x00005f75d542d2b4 in main (argc=3, argv=0x7ffd4f7ee0b8) > at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_main.c:317 The incoming nhrp packet is too short, and the call to sockunion_set() uses a 0x0 memory zone, because the whole nhrp packet has been parsed, and the zbuf length used was 0. Fix this by detecting the zbuf remaining length before calling sockunion_set. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com> (cherry picked from commit 30e479e)
NetDEF-CI
pushed a commit
that referenced
this pull request
Jul 2, 2025
issue detected by Address Sanitizer Error :
Address Sanitizer Error detected in /tmp_topotests/bgp_listen_l3vrf.test_bgp_listen_l3vrf/r1.asan.bgpd.6703
=================================================================
==6703==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 56 byte(s) in 1 object(s) allocated from:
#0 0x7f34c28b83b7 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
#1 0x7f34c241b45a in qcalloc lib/memory.c:111
#2 0x7f34c247b1da in prefix_new lib/prefix.c:1192
#3 0x55e0992e2041 in peer_group_listen_range_add bgpd/bgpd.c:3258
#4 0x55e099282694 in bgp_listen_range bgpd/bgp_vty.c:4848
#5 0x7f34c2397bc0 in cmd_execute_command_real lib/command.c:1011
#6 0x7f34c2397edf in cmd_execute_command lib/command.c:1070
#7 0x7f34c239840b in cmd_execute lib/command.c:1236
#8 0x7f34c24e204e in vty_command lib/vty.c:626
#9 0x7f34c24e259b in vty_execute lib/vty.c:1389
#10 0x7f34c24e5f97 in vtysh_read lib/vty.c:2408
#11 0x7f34c24d2958 in event_call lib/event.c:2005
#12 0x7f34c23fc4e0 in frr_run lib/libfrr.c:1247
#13 0x55e0990949ff in main bgpd/bgp_main.c:565
#14 0x7f34c1e2c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
SUMMARY: AddressSanitizer: 56 byte(s) leaked in 1 allocation(s).
***********************************************************************************
Signed-off-by: Francois Dumontet <francois.dumontet@6wind.com>
NetDEF-CI
pushed a commit
that referenced
this pull request
Jul 5, 2025
The sub sub tlv options of the srv6 prefix sid option is partially visible hen compiling with enable-bgp-vnc, but not in json neither in other parts of the code. > # show bgp ipv6 vpn > [..] > *> 2001:db9:10::/64 ::@8< 0 32768 ? > UN=:: EC{99:99} label=3 sid=fc05:0:5:cece:2345:: sid_structure=[32,16,32,0] type=bgp, subtype=5 > # show bgp ipv6 vpn detail json > [..] > ,"2001:db9:10::/64": [{"aspath":{"string":"Local","segments":[],"length":0},"nhVrfName":"vrf10","nhVrfId":8, > "announceNexthopSelf":true,"origin":"incomplete","metric":0,"weight":32768,"valid":true,"version":1,"sourced":true, > "local":true,"bestpath":{"overall":true,"selectionReason":"First path received"},"extendedCommunity":{"string":"RT:99:99"}, > "originatorId":"5.5.5.5","remoteLabel":3," id":"fc05:0:5:cece:2345::", > "lastUpdate":{"epoch":1751440457,"string":"Wed Jul 2 09:14:17 2025"}, > "nexthops":[{"ip":"::","hostname":"rt5","afi":"ipv6","scope":"global", > "linkLocalOnly":false,"length":16,"metric":0,"accessible":true,"used":true}], > "peer":{"peerId":"::","routerId":"5.5.5.5"}}] Add json attributes to display the attribute values in a remoteSidStructure entry. Display the attribute values in a show command with detailed information. > rt5# show bgp ipv6 vpn 2001:db9:10::/64 > BGP routing table entry for 5:10:2001:db9:10::/64, version 2 > not allocated > Paths: (1 available, best #1) > Advertised to peers: > fc00:0:1::1 > Local > :: from :: (5.5.5.5) vrf vrf10(8) announce-nh-self > Origin incomplete, metric 0, weight 32768, valid, sourced, local, best (First path received) > Extended Community: RT:99:99 > Originator: 5.5.5.5 > Remote label: 3 > Remote SID: fc05:0:5:cece:2345::, sid structure=[32 16 32 0 0 0] > Last update: Wed Jul 2 09:53:59 2025 > rt5# show bgp ipv6 vpn detail json > [..] > "remoteSid":"fc05:0:5:cece:2345::", > "remoteSidStructure":{ > "locatorBlockLen":32, > "locatorNodeLen":16, > "functionLen":32, > "argumentLen":0, > "transpositionLen":0, > "transpositionOffset":0 > }, Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
NetDEF-CI
pushed a commit
that referenced
this pull request
Jul 9, 2025
Memory leak happens when modifying srv6 configuration. Some sid notifications events will flush a valid srv6 context. > Direct leak of 736 byte(s) in 2 object(s) allocated from: > #0 0x7c112c0fd340 in calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77 > #1 0x7c112bc3595e in qcalloc lib/memory.c:111 > #2 0x7c112bc4d37e in srv6_locator_alloc lib/srv6.c:227 > #3 0x5f9fa87e7acf in bgp_zebra_srv6_sid_notify bgpd/bgp_zebra.c:3662 > #4 0x7c112bd32d12 in zclient_read lib/zclient.c:4804 > #5 0x7c112bcfaa90 in event_call lib/event.c:2005 > #6 0x7c112bc118a7 in frr_run lib/libfrr.c:1252 > #7 0x5f9fa85674b4 in main bgpd/bgp_main.c:565 > #8 0x7c112b42a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > #9 0x7c112b42a28a in __libc_start_main_impl ../csu/libc-start.c:360 > #10 0x5f9fa856cbd4 in _start (/usr/lib/frr/bgpd+0x2d5bd4) (BuildId: 16288c5292cf235ab5251a93b7dbae5874c3f4bc) > > Indirect leak of 80 byte(s) in 2 object(s) allocated from: > #0 0x7c112c0fd340 in calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77 > #1 0x7c112bc3595e in qcalloc lib/memory.c:111 > #2 0x7c112bc4d396 in srv6_locator_alloc lib/srv6.c:229 > #3 0x5f9fa87e7acf in bgp_zebra_srv6_sid_notify bgpd/bgp_zebra.c:3662 > #4 0x7c112bd32d12 in zclient_read lib/zclient.c:4804 > #5 0x7c112bcfaa90 in event_call lib/event.c:2005 > #6 0x7c112bc118a7 in frr_run lib/libfrr.c:1252 > #7 0x5f9fa85674b4 in main bgpd/bgp_main.c:565 > #8 0x7c112b42a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > #9 0x7c112b42a28a in __libc_start_main_impl ../csu/libc-start.c:360 > #10 0x5f9fa856cbd4 in _start (/usr/lib/frr/bgpd+0x2d5bd4) (BuildId: 16288c5292cf235ab5251a93b7dbae5874c3f4bc) Fixes: 7a2e64e ("bgpd: Receive SRv6 SIDs notification from zebra") Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
NetDEF-CI
pushed a commit
that referenced
this pull request
Jul 9, 2025
When SRv6 locator is modified for configuration, a memory leak is observed. > ==26714==ERROR: LeakSanitizer: detected memory leaks > > Direct leak of 1104 byte(s) in 3 object(s) allocated from: > #0 0x7fb232cb83b7 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77 > #1 0x7fb232822b79 in qcalloc lib/memory.c:111 > #2 0x7fb23283a8b6 in srv6_locator_alloc lib/srv6.c:227 > #3 0x56347cdd4b57 in bgp_zebra_srv6_sid_notify bgpd/bgp_zebra.c:3661 > #4 0x7fb23290d03e in zclient_read lib/zclient.c:4804 > #5 0x7fb2328da6a0 in event_call lib/event.c:2005 > #6 0x7fb232800791 in frr_run lib/libfrr.c:1252 > #7 0x56347cb929ff in main bgpd/bgp_main.c:565 > #8 0x7fb23222c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
NetDEF-CI
pushed a commit
that referenced
this pull request
Jul 17, 2025
The `match->rule_str` may is NULL, like: ``` ip prefix-list plist1 deny any route-map rm1 deny 10 match evpn default-route ``` The stack: ``` #0 __strcmp_sse42 () at ../sysdeps/x86_64/multiarch/strcmp-sse4_2.S:173 #1 0x00007ffff7e5a7ea in route_map_pentry_process_dependency ( bucket=0x5555561fb270, data=0x7fffffff96e0) at ../lib/routemap.c:2466 #2 0x00007ffff7de983d in hash_iterate (hash=0x555556208e50, func=0x7ffff7e5a6f3 <route_map_pentry_process_dependency>, arg=0x7fffffff96e0) at ../lib/hash.c:252 #3 0x00007ffff7e5a99d in route_map_notify_pentry_dependencies ( affected_name=0x5555561fb720 "plist1", pentry=0x555556201040, event=RMAP_EVENT_PLIST_ADDED) at ../lib/routemap.c:2513 #4 0x00007ffff7e4a275 in prefix_list_entry_update_finish (ple=0x555556201040) at ../lib/plist.c:697 #5 0x00007ffff7de38c9 in lib_prefix_list_entry_apply_finish (args=0x7fffffff97b0) at ../lib/filter_nb.c:1233 #6 0x00007ffff7e3228a in nb_callback_apply_finish (context=0x555556204970, nb_node=0x555555b51860, dnode=0x5555561e47b0, errmsg=0x7fffffff9d00 "", errmsg_len=8192) at ../lib/northbound.c:1772 ``` Signed-off-by: anlan_cs <anlan_cs@126.com>
NetDEF-CI
pushed a commit
that referenced
this pull request
Jul 18, 2025
The `match->rule_str` may is NULL, like: ``` ip prefix-list plist1 deny any route-map rm1 deny 10 match evpn default-route ``` The stack: ``` #0 __strcmp_sse42 () at ../sysdeps/x86_64/multiarch/strcmp-sse4_2.S:173 #1 0x00007ffff7e5a7ea in route_map_pentry_process_dependency ( bucket=0x5555561fb270, data=0x7fffffff96e0) at ../lib/routemap.c:2466 #2 0x00007ffff7de983d in hash_iterate (hash=0x555556208e50, func=0x7ffff7e5a6f3 <route_map_pentry_process_dependency>, arg=0x7fffffff96e0) at ../lib/hash.c:252 #3 0x00007ffff7e5a99d in route_map_notify_pentry_dependencies ( affected_name=0x5555561fb720 "plist1", pentry=0x555556201040, event=RMAP_EVENT_PLIST_ADDED) at ../lib/routemap.c:2513 #4 0x00007ffff7e4a275 in prefix_list_entry_update_finish (ple=0x555556201040) at ../lib/plist.c:697 #5 0x00007ffff7de38c9 in lib_prefix_list_entry_apply_finish (args=0x7fffffff97b0) at ../lib/filter_nb.c:1233 #6 0x00007ffff7e3228a in nb_callback_apply_finish (context=0x555556204970, nb_node=0x555555b51860, dnode=0x5555561e47b0, errmsg=0x7fffffff9d00 "", errmsg_len=8192) at ../lib/northbound.c:1772 ``` Signed-off-by: anlan_cs <anlan_cs@126.com> (cherry picked from commit fa67f51)
NetDEF-CI
pushed a commit
that referenced
this pull request
Jul 18, 2025
The `match->rule_str` may is NULL, like: ``` ip prefix-list plist1 deny any route-map rm1 deny 10 match evpn default-route ``` The stack: ``` #0 __strcmp_sse42 () at ../sysdeps/x86_64/multiarch/strcmp-sse4_2.S:173 #1 0x00007ffff7e5a7ea in route_map_pentry_process_dependency ( bucket=0x5555561fb270, data=0x7fffffff96e0) at ../lib/routemap.c:2466 #2 0x00007ffff7de983d in hash_iterate (hash=0x555556208e50, func=0x7ffff7e5a6f3 <route_map_pentry_process_dependency>, arg=0x7fffffff96e0) at ../lib/hash.c:252 #3 0x00007ffff7e5a99d in route_map_notify_pentry_dependencies ( affected_name=0x5555561fb720 "plist1", pentry=0x555556201040, event=RMAP_EVENT_PLIST_ADDED) at ../lib/routemap.c:2513 #4 0x00007ffff7e4a275 in prefix_list_entry_update_finish (ple=0x555556201040) at ../lib/plist.c:697 #5 0x00007ffff7de38c9 in lib_prefix_list_entry_apply_finish (args=0x7fffffff97b0) at ../lib/filter_nb.c:1233 #6 0x00007ffff7e3228a in nb_callback_apply_finish (context=0x555556204970, nb_node=0x555555b51860, dnode=0x5555561e47b0, errmsg=0x7fffffff9d00 "", errmsg_len=8192) at ../lib/northbound.c:1772 ``` Signed-off-by: anlan_cs <anlan_cs@126.com> (cherry picked from commit fa67f51)
ton31337
pushed a commit
that referenced
this pull request
Jul 28, 2025
The `match->rule_str` may is NULL, like: ``` ip prefix-list plist1 deny any route-map rm1 deny 10 match evpn default-route ``` The stack: ``` #0 __strcmp_sse42 () at ../sysdeps/x86_64/multiarch/strcmp-sse4_2.S:173 #1 0x00007ffff7e5a7ea in route_map_pentry_process_dependency ( bucket=0x5555561fb270, data=0x7fffffff96e0) at ../lib/routemap.c:2466 #2 0x00007ffff7de983d in hash_iterate (hash=0x555556208e50, func=0x7ffff7e5a6f3 <route_map_pentry_process_dependency>, arg=0x7fffffff96e0) at ../lib/hash.c:252 #3 0x00007ffff7e5a99d in route_map_notify_pentry_dependencies ( affected_name=0x5555561fb720 "plist1", pentry=0x555556201040, event=RMAP_EVENT_PLIST_ADDED) at ../lib/routemap.c:2513 #4 0x00007ffff7e4a275 in prefix_list_entry_update_finish (ple=0x555556201040) at ../lib/plist.c:697 #5 0x00007ffff7de38c9 in lib_prefix_list_entry_apply_finish (args=0x7fffffff97b0) at ../lib/filter_nb.c:1233 #6 0x00007ffff7e3228a in nb_callback_apply_finish (context=0x555556204970, nb_node=0x555555b51860, dnode=0x5555561e47b0, errmsg=0x7fffffff9d00 "", errmsg_len=8192) at ../lib/northbound.c:1772 ``` Signed-off-by: anlan_cs <anlan_cs@126.com> (cherry picked from commit fa67f51)
ton31337
pushed a commit
that referenced
this pull request
Jul 28, 2025
A crash is detected on an invalid memory access to the 0x0 address zone. > #0 __pthread_kill_implementation (no_tid=0, signo=11, threadid=130889386464320) > at ./nptl/pthread_kill.c:44 > #1 __pthread_kill_internal (signo=11, threadid=130889386464320) at ./nptl/pthread_kill.c:78 > #2 __GI___pthread_kill (threadid=130889386464320, signo=signo@entry=11) at ./nptl/pthread_kill.c:89 > #3 0x0000770b0f042476 in __GI_raise (sig=11) at ../sysdeps/posix/raise.c:26 > #4 0x0000770b0f507846 in core_handler (signo=11, siginfo=0x7ffd4f7ec9f0, context=0x7ffd4f7ec8c0) > at /build/make-pkg/output/_packages/cp-routing/src/lib/sigevent.c:262 > #5 <signal handler called> > #6 __memmove_evex_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:339 > #7 0x0000770b0f50bb54 in sockunion_set (su=0x7ffd4f7ed7b0, family=2, addr=0x0, bytes=4) > at /build/make-pkg/output/_packages/cp-routing/src/lib/sockunion.c:500 > #8 0x00005f75d5430817 in nhrp_cie_pull (zb=0x5f75f262c4d0, hdr=0x5f75f2627dd8, nbma=0x7ffd4f7ed6d0, > proto=0x7ffd4f7ed7b0) at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_packet.c:180 > #9 0x00005f75d5434652 in nhrp_peer_forward (p=0x5f75f2605f30, pp=0x7ffd4f7ed8c0) > at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_peer.c:1050 > #10 0x00005f75d54356cb in nhrp_peer_recv (p=0x5f75f2605f30, zb=0x5f75f2627da0) > at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_peer.c:1341 > #11 0x00005f75d5430d8e in nhrp_packet_recvraw (t=0x7ffd4f7ede80) > at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_packet.c:332 > #12 0x0000770b0f521188 in thread_call (thread=0x7ffd4f7ede80) > at /build/make-pkg/output/_packages/cp-routing/src/lib/thread.c:1825 > #13 0x0000770b0f4b7737 in frr_run (master=0x5f75f2440570) > at /build/make-pkg/output/_packages/cp-routing/src/lib/libfrr.c:1155 > #14 0x00005f75d542d2b4 in main (argc=3, argv=0x7ffd4f7ee0b8) > at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_main.c:317 The incoming nhrp packet is too short, and the call to sockunion_set() uses a 0x0 memory zone, because the whole nhrp packet has been parsed, and the zbuf length used was 0. Fix this by detecting the zbuf remaining length before calling sockunion_set. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com> (cherry picked from commit 30e479e)
ton31337
pushed a commit
that referenced
this pull request
Jul 28, 2025
The `match->rule_str` may is NULL, like: ``` ip prefix-list plist1 deny any route-map rm1 deny 10 match evpn default-route ``` The stack: ``` #0 __strcmp_sse42 () at ../sysdeps/x86_64/multiarch/strcmp-sse4_2.S:173 #1 0x00007ffff7e5a7ea in route_map_pentry_process_dependency ( bucket=0x5555561fb270, data=0x7fffffff96e0) at ../lib/routemap.c:2466 #2 0x00007ffff7de983d in hash_iterate (hash=0x555556208e50, func=0x7ffff7e5a6f3 <route_map_pentry_process_dependency>, arg=0x7fffffff96e0) at ../lib/hash.c:252 #3 0x00007ffff7e5a99d in route_map_notify_pentry_dependencies ( affected_name=0x5555561fb720 "plist1", pentry=0x555556201040, event=RMAP_EVENT_PLIST_ADDED) at ../lib/routemap.c:2513 #4 0x00007ffff7e4a275 in prefix_list_entry_update_finish (ple=0x555556201040) at ../lib/plist.c:697 #5 0x00007ffff7de38c9 in lib_prefix_list_entry_apply_finish (args=0x7fffffff97b0) at ../lib/filter_nb.c:1233 #6 0x00007ffff7e3228a in nb_callback_apply_finish (context=0x555556204970, nb_node=0x555555b51860, dnode=0x5555561e47b0, errmsg=0x7fffffff9d00 "", errmsg_len=8192) at ../lib/northbound.c:1772 ``` Signed-off-by: anlan_cs <anlan_cs@126.com> (cherry picked from commit fa67f51)
ton31337
pushed a commit
that referenced
this pull request
Jul 28, 2025
A crash is detected on an invalid memory access to the 0x0 address zone. > #0 __pthread_kill_implementation (no_tid=0, signo=11, threadid=130889386464320) > at ./nptl/pthread_kill.c:44 > #1 __pthread_kill_internal (signo=11, threadid=130889386464320) at ./nptl/pthread_kill.c:78 > #2 __GI___pthread_kill (threadid=130889386464320, signo=signo@entry=11) at ./nptl/pthread_kill.c:89 > #3 0x0000770b0f042476 in __GI_raise (sig=11) at ../sysdeps/posix/raise.c:26 > #4 0x0000770b0f507846 in core_handler (signo=11, siginfo=0x7ffd4f7ec9f0, context=0x7ffd4f7ec8c0) > at /build/make-pkg/output/_packages/cp-routing/src/lib/sigevent.c:262 > #5 <signal handler called> > #6 __memmove_evex_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:339 > #7 0x0000770b0f50bb54 in sockunion_set (su=0x7ffd4f7ed7b0, family=2, addr=0x0, bytes=4) > at /build/make-pkg/output/_packages/cp-routing/src/lib/sockunion.c:500 > #8 0x00005f75d5430817 in nhrp_cie_pull (zb=0x5f75f262c4d0, hdr=0x5f75f2627dd8, nbma=0x7ffd4f7ed6d0, > proto=0x7ffd4f7ed7b0) at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_packet.c:180 > #9 0x00005f75d5434652 in nhrp_peer_forward (p=0x5f75f2605f30, pp=0x7ffd4f7ed8c0) > at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_peer.c:1050 > #10 0x00005f75d54356cb in nhrp_peer_recv (p=0x5f75f2605f30, zb=0x5f75f2627da0) > at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_peer.c:1341 > #11 0x00005f75d5430d8e in nhrp_packet_recvraw (t=0x7ffd4f7ede80) > at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_packet.c:332 > #12 0x0000770b0f521188 in thread_call (thread=0x7ffd4f7ede80) > at /build/make-pkg/output/_packages/cp-routing/src/lib/thread.c:1825 > #13 0x0000770b0f4b7737 in frr_run (master=0x5f75f2440570) > at /build/make-pkg/output/_packages/cp-routing/src/lib/libfrr.c:1155 > #14 0x00005f75d542d2b4 in main (argc=3, argv=0x7ffd4f7ee0b8) > at /build/make-pkg/output/_packages/cp-routing/src/nhrpd/nhrp_main.c:317 The incoming nhrp packet is too short, and the call to sockunion_set() uses a 0x0 memory zone, because the whole nhrp packet has been parsed, and the zbuf length used was 0. Fix this by detecting the zbuf remaining length before calling sockunion_set. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com> (cherry picked from commit 30e479e)
ton31337
pushed a commit
that referenced
this pull request
Jul 28, 2025
The `match->rule_str` may is NULL, like: ``` ip prefix-list plist1 deny any route-map rm1 deny 10 match evpn default-route ``` The stack: ``` #0 __strcmp_sse42 () at ../sysdeps/x86_64/multiarch/strcmp-sse4_2.S:173 #1 0x00007ffff7e5a7ea in route_map_pentry_process_dependency ( bucket=0x5555561fb270, data=0x7fffffff96e0) at ../lib/routemap.c:2466 #2 0x00007ffff7de983d in hash_iterate (hash=0x555556208e50, func=0x7ffff7e5a6f3 <route_map_pentry_process_dependency>, arg=0x7fffffff96e0) at ../lib/hash.c:252 #3 0x00007ffff7e5a99d in route_map_notify_pentry_dependencies ( affected_name=0x5555561fb720 "plist1", pentry=0x555556201040, event=RMAP_EVENT_PLIST_ADDED) at ../lib/routemap.c:2513 #4 0x00007ffff7e4a275 in prefix_list_entry_update_finish (ple=0x555556201040) at ../lib/plist.c:697 #5 0x00007ffff7de38c9 in lib_prefix_list_entry_apply_finish (args=0x7fffffff97b0) at ../lib/filter_nb.c:1233 #6 0x00007ffff7e3228a in nb_callback_apply_finish (context=0x555556204970, nb_node=0x555555b51860, dnode=0x5555561e47b0, errmsg=0x7fffffff9d00 "", errmsg_len=8192) at ../lib/northbound.c:1772 ``` Signed-off-by: anlan_cs <anlan_cs@126.com> (cherry picked from commit fa67f51)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
First schwag at getting the show bgp commands under control in this crazy crazy world