bgpd: fix double-free of EVPN attrs with soft-reconf

Tuetuopay · Tuetuopay · commit 8d03451c72c7 · 2025-03-17T17:03:52.000+01:00
With soft reconfiguration, the BGP attributes are interned, but the EVPN attributes contained by the standard attributes are also interned. However, during BGP route processing, we performed a copy of the attributes in a new_attr struct, performing a shallow-copy. This made two structs point to the same interned EVPN attributes, freeing the attributes at the end of the input processing. Fix the double-free by increasing the refcount when shallow-copying the attributes. The direct symptom can be seen with a topotest, where bgpd segfaults on exit when cleaning up peer data: FRRouting#12 0x00007fc57d6a8ff5 in malloc_printerr (str=str@entry=0x7fc57d7d18a0 "malloc_consolidate(): unaligned fastbin chunk detected") at ./malloc/malloc.c:5772 FRRouting#13 0x00007fc57d6a9d4c in malloc_consolidate (av=0x7fc57d803ac0 <main_arena>) at ./malloc/malloc.c:4846 FRRouting#14 0x00007fc57d6aada5 in _int_free_maybe_consolidate (av=0x7fc57d803ac0 <main_arena>, size=<optimized out>) at ./malloc/malloc.c:4779 FRRouting#15 0x00007fc57d6ab43a in _int_free (av=0x7fc57d803ac0 <main_arena>, p=<optimized out>, have_lock=<optimized out>) at ./malloc/malloc.c:4646 FRRouting#16 0x00007fc57d6addae in __GI___libc_free (mem=0x55704295e8a0) at ./malloc/malloc.c:3398 FRRouting#17 0x00007fc57dada55e in qfree (mt=mt@entry=0x7fc57dc34e60 <MTYPE_STREAM>, ptr=<optimized out>) at lib/memory.c:131 FRRouting#18 0x00007fc57db1b8f8 in stream_free (s=<optimized out>) at lib/stream.c:109 FRRouting#19 0x000055704186539e in sync_delete (subgrp=0x557042957f00) at bgpd/bgp_updgrp.c:108 FRRouting#20 update_subgroup_delete (subgrp=0x557042957f00) at bgpd/bgp_updgrp.c:1167 FRRouting#21 0x0000557041866c75 in update_subgroup_check_delete (subgrp=<optimized out>) at bgpd/bgp_updgrp.c:1202 FRRouting#22 0x00005570417fbf51 in update_group_remove_peer_afs (peer=<optimized out>) at ./bgpd/bgp_updgrp.h:523 FRRouting#23 bgp_stop (connection=<optimized out>) at bgpd/bgp_fsm.c:1478 FRRouting#24 0x0000557041800357 in bgp_event_update (connection=0x557042956b50, event=TCP_connection_closed) at bgpd/bgp_fsm.c:2655 FRRouting#25 0x00007fc57db28fae in event_call (thread=thread@entry=0x7ffe0c687760) at lib/event.c:2019 FRRouting#26 0x00007fc57daccb28 in frr_run (master=0x5570421106e0) at lib/libfrr.c:1247 FRRouting#27 0x00005570417b1fd3 in main (argc=<optimized out>, argv=0x7ffe0c687a28) at bgpd/bgp_main.c:557 Fixes: 4ace11d ("bgpd: Move evpn_overlay to a pointer")
diff --git a/bgpd/bgp_route.c b/bgpd/bgp_route.c
@@ -5159,6 +5159,17 @@ void bgp_update(struct peer *peer, const struct prefix *p, uint32_t addpath_id,
 		}
 
 	new_attr = *attr;
+	if (CHECK_FLAG(peer->af_flags[afi][safi], PEER_FLAG_SOFT_RECONFIG)) {
+		/* For soft-reconfiguration, the attributes are interned. If
+		 * the EVPN attributes are set, they are ref-counted. We
+		 * perform a shallow-copy of the attribtues above, thus need to
+		 * increase the EVPN refcount to avoid a double-free later on.
+		 */
+		struct bgp_route_evpn *bre = bgp_attr_get_evpn_overlay(attr);
+		if (bre && bre->refcnt)
+			bre->refcnt++;
+	}
+
 	/*
 	 * If bgp_update is called with soft_reconfig set then
 	 * attr is interned. In this case, do not overwrite the
