Fix for pcep counters show with null session #6

bradyallenjohnson · 2020-04-15T09:00:37Z

Fix for pcep counters show with null session

also fixed a few minor compilation warnings

- also fixed a few minor compilation warnings

This problem was reported by the sanitizer - ================================================================= ==24764==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d0000115c8 at pc 0x55cb9cfad312 bp 0x7fffa0552140 sp 0x7fffa0552138 READ of size 8 at 0x60d0000115c8 thread T0 #0 0x55cb9cfad311 in zebra_evpn_remote_es_flush zebra/zebra_evpn_mh.c:2041 #1 0x55cb9cfad311 in zebra_evpn_es_cleanup zebra/zebra_evpn_mh.c:2234 #2 0x55cb9cf6ae78 in zebra_vrf_disable zebra/zebra_vrf.c:205 #3 0x7fc8d478f114 in vrf_delete lib/vrf.c:229 #4 0x7fc8d478f99a in vrf_terminate lib/vrf.c:541 #5 0x55cb9ceba0af in sigint zebra/main.c:176 #6 0x55cb9ceba0af in sigint zebra/main.c:130 #7 0x7fc8d4765d20 in quagga_sigevent_process lib/sigevent.c:103 #8 0x7fc8d4787e8c in thread_fetch lib/thread.c:1396 #9 0x7fc8d4708782 in frr_run lib/libfrr.c:1092 #10 0x55cb9ce931d8 in main zebra/main.c:488 #11 0x7fc8d43ee09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) #12 0x55cb9ce94c09 in _start (/usr/lib/frr/zebra+0x8ac09) ================================================================= Signed-off-by: Anuradha Karuppiah <[email protected]>

When zebra is running with debugs turned on there is a use after free reported by the address sanitizer: 2020/10/16 12:58:02 ZEBRA: rib_delnode: (0:254):4.5.6.16/32: rn 0x60b000026f20, re 0x6080000131a0, removing 2020/10/16 12:58:02 ZEBRA: rib_meta_queue_add: (0:254):4.5.6.16/32: queued rn 0x60b000026f20 into sub-queue 3 ================================================================= ==3101430==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000011d28 at pc 0x555555705ab6 bp 0x7fffffffdab0 sp 0x7fffffffdaa8 READ of size 8 at 0x608000011d28 thread T0 #0 0x555555705ab5 in re_list_const_first zebra/rib.h:222 #1 0x555555705b54 in re_list_first zebra/rib.h:222 #2 0x555555711a4f in process_subq_route zebra/zebra_rib.c:2248 #3 0x555555711d2e in process_subq zebra/zebra_rib.c:2286 #4 0x555555711ec7 in meta_queue_process zebra/zebra_rib.c:2320 #5 0x7ffff74701f7 in work_queue_run lib/workqueue.c:291 #6 0x7ffff7450e9c in thread_call lib/thread.c:1581 #7 0x7ffff738eaf7 in frr_run lib/libfrr.c:1099 #8 0x55555561a578 in main zebra/main.c:455 #9 0x7ffff7079cc9 in __libc_start_main ../csu/libc-start.c:308 #10 0x5555555e3429 in _start (/usr/lib/frr/zebra+0x8f429) 0x608000011d28 is located 8 bytes inside of 88-byte region [0x608000011d20,0x608000011d78) freed by thread T0 here: #0 0x7ffff768bb6f in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.6+0xa9b6f) #1 0x7ffff739ccad in qfree lib/memory.c:129 #2 0x555555709ee4 in rib_gc_dest zebra/zebra_rib.c:746 #3 0x55555570ca76 in rib_process zebra/zebra_rib.c:1240 #4 0x555555711a05 in process_subq_route zebra/zebra_rib.c:2245 #5 0x555555711d2e in process_subq zebra/zebra_rib.c:2286 #6 0x555555711ec7 in meta_queue_process zebra/zebra_rib.c:2320 #7 0x7ffff74701f7 in work_queue_run lib/workqueue.c:291 #8 0x7ffff7450e9c in thread_call lib/thread.c:1581 #9 0x7ffff738eaf7 in frr_run lib/libfrr.c:1099 #10 0x55555561a578 in main zebra/main.c:455 #11 0x7ffff7079cc9 in __libc_start_main ../csu/libc-start.c:308 previously allocated by thread T0 here: #0 0x7ffff768c037 in calloc (/lib/x86_64-linux-gnu/libasan.so.6+0xaa037) #1 0x7ffff739cb98 in qcalloc lib/memory.c:110 #2 0x555555712ace in zebra_rib_create_dest zebra/zebra_rib.c:2515 #3 0x555555712c6c in rib_link zebra/zebra_rib.c:2576 #4 0x555555712faa in rib_addnode zebra/zebra_rib.c:2607 #5 0x555555715bf0 in rib_add_multipath_nhe zebra/zebra_rib.c:3012 #6 0x555555715f56 in rib_add_multipath zebra/zebra_rib.c:3049 #7 0x55555571788b in rib_add zebra/zebra_rib.c:3327 #8 0x5555555e584a in connected_up zebra/connected.c:254 #9 0x5555555e42ff in connected_announce zebra/connected.c:94 #10 0x5555555e4fd3 in connected_update zebra/connected.c:195 #11 0x5555555e61ad in connected_add_ipv4 zebra/connected.c:340 #12 0x5555555f26f5 in netlink_interface_addr zebra/if_netlink.c:1213 #13 0x55555560f756 in netlink_information_fetch zebra/kernel_netlink.c:350 #14 0x555555612e49 in netlink_parse_info zebra/kernel_netlink.c:941 #15 0x55555560f9f1 in kernel_read zebra/kernel_netlink.c:402 #16 0x7ffff7450e9c in thread_call lib/thread.c:1581 #17 0x7ffff738eaf7 in frr_run lib/libfrr.c:1099 #18 0x55555561a578 in main zebra/main.c:455 #19 0x7ffff7079cc9 in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: heap-use-after-free zebra/rib.h:222 in re_list_const_first This is happening because we are using the dest pointer after a call into rib_gc_dest. In process_subq_route, we call rib_process() and if the dest is deleted dest pointer is now garbage. We must reload the dest pointer in this case. Signed-off-by: Donald Sharp <[email protected]>

We are using data after it has been freed and handed back to the OS. Address Sanitizer output: error 23-Nov-2020 18:53:57 ERROR: AddressSanitizer: heap-use-after-free on address 0x631000024838 at pc 0x55f825998f58 bp 0x7fffa5b0f5b0 sp 0x7fffa5b0f5a0 error 23-Nov-2020 18:53:57 READ of size 4 at 0x631000024838 thread T0 error 23-Nov-2020 18:53:57 #0 0x55f825998f57 in lde_imsg_compose_parent_sync ldpd/lde.c:226 error 23-Nov-2020 18:53:57 #1 0x55f8259ca9ed in vlog ldpd/log.c:48 error 23-Nov-2020 18:53:57 #2 0x55f8259cb1c8 in log_info ldpd/log.c:102 error 23-Nov-2020 18:53:57 #3 0x55f82599e841 in lde_shutdown ldpd/lde.c:208 error 23-Nov-2020 18:53:57 #4 0x55f8259a2703 in lde_dispatch_parent ldpd/lde.c:666 error 23-Nov-2020 18:53:57 #5 0x55f825ac3815 in thread_call lib/thread.c:1681 error 23-Nov-2020 18:53:57 #6 0x55f825998d5e in lde ldpd/lde.c:160 error 23-Nov-2020 18:53:57 #7 0x55f82598a289 in main ldpd/ldpd.c:320 error 23-Nov-2020 18:53:57 #8 0x7fe3f749db96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) error 23-Nov-2020 18:53:57 #9 0x55f825982579 in _start (/usr/lib/frr/ldpd+0xb3579) error 23-Nov-2020 18:53:57 error 23-Nov-2020 18:53:57 0x631000024838 is located 65592 bytes inside of 65632-byte region [0x631000014800,0x631000024860) error 23-Nov-2020 18:53:57 freed by thread T0 here: error 23-Nov-2020 18:53:57 #0 0x7fe3f8a4d7a8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8) error 23-Nov-2020 18:53:57 #1 0x55f82599e830 in lde_shutdown ldpd/lde.c:206 error 23-Nov-2020 18:53:57 #2 0x55f8259a2703 in lde_dispatch_parent ldpd/lde.c:666 error 23-Nov-2020 18:53:57 #3 0x55f825ac3815 in thread_call lib/thread.c:1681 error 23-Nov-2020 18:53:57 #4 0x55f825998d5e in lde ldpd/lde.c:160 error 23-Nov-2020 18:53:57 #5 0x55f82598a289 in main ldpd/ldpd.c:320 error 23-Nov-2020 18:53:57 #6 0x7fe3f749db96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) error 23-Nov-2020 18:53:57 error 23-Nov-2020 18:53:57 previously allocated by thread T0 here: error 23-Nov-2020 18:53:57 #0 0x7fe3f8a4dd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) error 23-Nov-2020 18:53:57 #1 0x55f825998cb7 in lde ldpd/lde.c:151 error 23-Nov-2020 18:53:57 #2 0x55f82598a289 in main ldpd/ldpd.c:320 error 23-Nov-2020 18:53:57 #3 0x7fe3f749db96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) error 23-Nov-2020 18:53:57 The fix is to put this in global space. Signed-off-by: Donald Sharp <[email protected]>

error 26-Nov-2020 14:35:02 ERROR: AddressSanitizer: heap-use-after-free on address 0x631000024838 at pc 0x55cefae977e9 bp 0x7ffdd3546860 sp 0x7ffdd3546850 error 26-Nov-2020 14:35:02 READ of size 4 at 0x631000024838 thread T0 error 26-Nov-2020 14:35:02 #0 0x55cefae977e8 in ldpe_imsg_compose_parent_sync ldpd/ldpe.c:256 error 26-Nov-2020 14:35:02 #1 0x55cefae9ab13 in vlog ldpd/log.c:53 error 26-Nov-2020 14:35:02 #2 0x55cefae9b21f in log_info ldpd/log.c:102 error 26-Nov-2020 14:35:02 #3 0x55cefae96eae in ldpe_shutdown ldpd/ldpe.c:237 error 26-Nov-2020 14:35:02 #4 0x55cefae99254 in ldpe_dispatch_main ldpd/ldpe.c:585 error 26-Nov-2020 14:35:02 #5 0x55cefaf93875 in thread_call lib/thread.c:1681 error 26-Nov-2020 14:35:02 #6 0x55cefae97304 in ldpe ldpd/ldpe.c:136 error 26-Nov-2020 14:35:02 #7 0x55cefae5a2e2 in main ldpd/ldpd.c:322 error 26-Nov-2020 14:35:02 #8 0x7f4ef0c33b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) error 26-Nov-2020 14:35:02 #9 0x55cefae525e9 in _start (/usr/lib/frr/ldpd+0xb35e9) error 26-Nov-2020 14:35:02 error 26-Nov-2020 14:35:02 0x631000024838 is located 65592 bytes inside of 65632-byte region [0x631000014800,0x631000024860) error 26-Nov-2020 14:35:02 freed by thread T0 here: error 26-Nov-2020 14:35:02 #0 0x7f4ef21e37a8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8) error 26-Nov-2020 14:35:02 #1 0x55cefae96e91 in ldpe_shutdown ldpd/ldpe.c:234 error 26-Nov-2020 14:35:02 #2 0x55cefae99254 in ldpe_dispatch_main ldpd/ldpe.c:585 error 26-Nov-2020 14:35:02 #3 0x55cefaf93875 in thread_call lib/thread.c:1681 error 26-Nov-2020 14:35:02 #4 0x55cefae97304 in ldpe ldpd/ldpe.c:136 error 26-Nov-2020 14:35:02 #5 0x55cefae5a2e2 in main ldpd/ldpd.c:322 error 26-Nov-2020 14:35:02 #6 0x7f4ef0c33b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) error 26-Nov-2020 14:35:02 error 26-Nov-2020 14:35:02 previously allocated by thread T0 here: error 26-Nov-2020 14:35:02 #0 0x7f4ef21e3d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) error 26-Nov-2020 14:35:02 #1 0x55cefae9725d in ldpe ldpd/ldpe.c:127 error 26-Nov-2020 14:35:02 #2 0x55cefae5a2e2 in main ldpd/ldpd.c:322 error 26-Nov-2020 14:35:02 #3 0x7f4ef0c33b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) Clean this problem up in the same way as the previous commit Signed-off-by: Donald Sharp <[email protected]>

We are using data after it has been freed and handed back to the OS. Address Sanitizer output: error 23-Nov-2020 18:53:57 ERROR: AddressSanitizer: heap-use-after-free on address 0x631000024838 at pc 0x55f825998f58 bp 0x7fffa5b0f5b0 sp 0x7fffa5b0f5a0 error 23-Nov-2020 18:53:57 READ of size 4 at 0x631000024838 thread T0 error 23-Nov-2020 18:53:57 #0 0x55f825998f57 in lde_imsg_compose_parent_sync ldpd/lde.c:226 error 23-Nov-2020 18:53:57 #1 0x55f8259ca9ed in vlog ldpd/log.c:48 error 23-Nov-2020 18:53:57 #2 0x55f8259cb1c8 in log_info ldpd/log.c:102 error 23-Nov-2020 18:53:57 #3 0x55f82599e841 in lde_shutdown ldpd/lde.c:208 error 23-Nov-2020 18:53:57 #4 0x55f8259a2703 in lde_dispatch_parent ldpd/lde.c:666 error 23-Nov-2020 18:53:57 #5 0x55f825ac3815 in thread_call lib/thread.c:1681 error 23-Nov-2020 18:53:57 #6 0x55f825998d5e in lde ldpd/lde.c:160 error 23-Nov-2020 18:53:57 #7 0x55f82598a289 in main ldpd/ldpd.c:320 error 23-Nov-2020 18:53:57 #8 0x7fe3f749db96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) error 23-Nov-2020 18:53:57 #9 0x55f825982579 in _start (/usr/lib/frr/ldpd+0xb3579) error 23-Nov-2020 18:53:57 error 23-Nov-2020 18:53:57 0x631000024838 is located 65592 bytes inside of 65632-byte region [0x631000014800,0x631000024860) error 23-Nov-2020 18:53:57 freed by thread T0 here: error 23-Nov-2020 18:53:57 #0 0x7fe3f8a4d7a8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8) error 23-Nov-2020 18:53:57 #1 0x55f82599e830 in lde_shutdown ldpd/lde.c:206 error 23-Nov-2020 18:53:57 #2 0x55f8259a2703 in lde_dispatch_parent ldpd/lde.c:666 error 23-Nov-2020 18:53:57 #3 0x55f825ac3815 in thread_call lib/thread.c:1681 error 23-Nov-2020 18:53:57 #4 0x55f825998d5e in lde ldpd/lde.c:160 error 23-Nov-2020 18:53:57 #5 0x55f82598a289 in main ldpd/ldpd.c:320 error 23-Nov-2020 18:53:57 #6 0x7fe3f749db96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) error 23-Nov-2020 18:53:57 error 23-Nov-2020 18:53:57 previously allocated by thread T0 here: error 23-Nov-2020 18:53:57 #0 0x7fe3f8a4dd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) error 23-Nov-2020 18:53:57 #1 0x55f825998cb7 in lde ldpd/lde.c:151 error 23-Nov-2020 18:53:57 #2 0x55f82598a289 in main ldpd/ldpd.c:320 error 23-Nov-2020 18:53:57 #3 0x7fe3f749db96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) error 23-Nov-2020 18:53:57 The fix is to put this in global space. Signed-off-by: Donald Sharp <[email protected]>

error 26-Nov-2020 14:35:02 ERROR: AddressSanitizer: heap-use-after-free on address 0x631000024838 at pc 0x55cefae977e9 bp 0x7ffdd3546860 sp 0x7ffdd3546850 error 26-Nov-2020 14:35:02 READ of size 4 at 0x631000024838 thread T0 error 26-Nov-2020 14:35:02 #0 0x55cefae977e8 in ldpe_imsg_compose_parent_sync ldpd/ldpe.c:256 error 26-Nov-2020 14:35:02 #1 0x55cefae9ab13 in vlog ldpd/log.c:53 error 26-Nov-2020 14:35:02 #2 0x55cefae9b21f in log_info ldpd/log.c:102 error 26-Nov-2020 14:35:02 #3 0x55cefae96eae in ldpe_shutdown ldpd/ldpe.c:237 error 26-Nov-2020 14:35:02 #4 0x55cefae99254 in ldpe_dispatch_main ldpd/ldpe.c:585 error 26-Nov-2020 14:35:02 #5 0x55cefaf93875 in thread_call lib/thread.c:1681 error 26-Nov-2020 14:35:02 #6 0x55cefae97304 in ldpe ldpd/ldpe.c:136 error 26-Nov-2020 14:35:02 #7 0x55cefae5a2e2 in main ldpd/ldpd.c:322 error 26-Nov-2020 14:35:02 #8 0x7f4ef0c33b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) error 26-Nov-2020 14:35:02 #9 0x55cefae525e9 in _start (/usr/lib/frr/ldpd+0xb35e9) error 26-Nov-2020 14:35:02 error 26-Nov-2020 14:35:02 0x631000024838 is located 65592 bytes inside of 65632-byte region [0x631000014800,0x631000024860) error 26-Nov-2020 14:35:02 freed by thread T0 here: error 26-Nov-2020 14:35:02 #0 0x7f4ef21e37a8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8) error 26-Nov-2020 14:35:02 #1 0x55cefae96e91 in ldpe_shutdown ldpd/ldpe.c:234 error 26-Nov-2020 14:35:02 #2 0x55cefae99254 in ldpe_dispatch_main ldpd/ldpe.c:585 error 26-Nov-2020 14:35:02 #3 0x55cefaf93875 in thread_call lib/thread.c:1681 error 26-Nov-2020 14:35:02 #4 0x55cefae97304 in ldpe ldpd/ldpe.c:136 error 26-Nov-2020 14:35:02 #5 0x55cefae5a2e2 in main ldpd/ldpd.c:322 error 26-Nov-2020 14:35:02 #6 0x7f4ef0c33b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) error 26-Nov-2020 14:35:02 error 26-Nov-2020 14:35:02 previously allocated by thread T0 here: error 26-Nov-2020 14:35:02 #0 0x7f4ef21e3d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) error 26-Nov-2020 14:35:02 #1 0x55cefae9725d in ldpe ldpd/ldpe.c:127 error 26-Nov-2020 14:35:02 #2 0x55cefae5a2e2 in main ldpd/ldpd.c:322 error 26-Nov-2020 14:35:02 #3 0x7f4ef0c33b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) Clean this problem up in the same way as the previous commit Signed-off-by: Donald Sharp <[email protected]>

Fix the following address sanitizer crash when running the command `find`: ==163468==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7fff4840fc1d at pc 0x7f4311742d11 bp 0x7fff4840fbc0 sp 0x7fff4840fb b0 WRITE of size 1 at 0x7fff4840fc1d thread T0 #0 0x7f4311742d10 in print_cmd ../lib/command.c:1541 #1 0x7f4311746274 in cmd_find_cmds ../lib/command.c:2364 #2 0x560b18b4c222 in find ../vtysh/vtysh.c:3732 #3 0x7f431174043a in cmd_execute_command_real ../lib/command.c:995 #4 0x7f43117407d3 in cmd_execute_command ../lib/command.c:1055 #5 0x7f4311741446 in cmd_execute ../lib/command.c:1219 #6 0x560b18b426c7 in vtysh_execute_func ../vtysh/vtysh.c:486 #7 0x560b18b43575 in vtysh_execute ../vtysh/vtysh.c:671 #8 0x560b18b409b4 in main ../vtysh/vtysh_main.c:721 #9 0x7f43113c90b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) #10 0x560b18b3e64d in _start (/usr/bin/vtysh+0x21f64d) Signed-off-by: Rafael Zalamena <[email protected]>

Fixing the crash: > #0 0x0000560aa80f8e30 in lspdb_const_find (h=<error reading variable: Cannot access memory at address 0x7fff5e95efe8>, item=<error reading variable: Cannot access memory at address 0x7fff5e95efe0>) at ./isisd/isis_lsp.h:64 > #1 0x0000560aa80f8e9d in lspdb_find (h=0x560aaa1ed3b8, item=0x7fff5e95f050) at ./isisd/isis_lsp.h:64 > #2 0x0000560aa80f92f9 in lsp_search (head=0x560aaa1ed3b8, id=0x7fff5e95f200 "") at isisd/isis_lsp.c:100 > #3 0x0000560aa8113d69 in spf_adj_list_parse_tlv (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, id=0x560aad331a78 "", desig_is_id=0x0, pseudo_metric=0, metric=3, oldmetric=false, subtlvs=0x0) at isisd/isis_spf.c:1330 > #4 0x0000560aa811419d in spf_adj_list_parse_lsp (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, lsp=0x560aaa1f4e50, pseudo_nodeid=0x0, pseudo_metric=0) at isisd/isis_spf.c:1429 > #5 0x0000560aa81141fe in spf_adj_list_parse_lsp (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, lsp=0x560aaa1ff8e0, pseudo_nodeid=0x0, pseudo_metric=0) at isisd/isis_spf.c:1442 > #6 0x0000560aa81141fe in spf_adj_list_parse_lsp (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, lsp=0x560aaa1f4e50, pseudo_nodeid=0x0, pseudo_metric=0) at isisd/isis_spf.c:1442 > (...) > #65507 0x0000560aa81141fe in spf_adj_list_parse_lsp (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, lsp=0x560aaa1ff8e0, pseudo_nodeid=0x0, pseudo_metric=0) at isisd/isis_spf.c:1442 > #65508 0x0000560aa81141fe in spf_adj_list_parse_lsp (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, lsp=0x560aaa1f4e50, pseudo_nodeid=0x0, pseudo_metric=0) at isisd/isis_spf.c:1442 > #65509 0x0000560aa81141fe in spf_adj_list_parse_lsp (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, lsp=0x560aaa1ff8e0, pseudo_nodeid=0x0, pseudo_metric=0) at isisd/isis_spf.c:1442 > #65510 0x0000560aa81141fe in spf_adj_list_parse_lsp (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, lsp=0x560aaa1f4e50, pseudo_nodeid=0x0, pseudo_metric=0) at isisd/isis_spf.c:1442 > #65511 0x0000560aa8114313 in isis_spf_build_adj_list (spftree=0x560aaa1f09d0, lsp=0x560aaa1f4e50) at isisd/isis_spf.c:1455 > #65512 0x0000560aa8114f09 in isis_run_spf (spftree=0x560aaa1f09d0) at isisd/isis_spf.c:1775 > #65513 0x0000560aa8115057 in isis_run_spf_with_protection (area=0x560aaa1ed3b0, spftree=0x560aaa1f09d0) at isisd/isis_spf.c:1801 > #65514 0x0000560aa8115311 in isis_run_spf_cb (thread=0x7fff5f15e5a0) at isisd/isis_spf.c:1859 > #65515 0x00007f90bac66dcc in thread_call (thread=0x7fff5f15e5a0) at lib/thread.c:2002 > #65516 0x00007f90bac013ee in frr_run (master=0x560aa9f5cb40) at lib/libfrr.c:1196 > #65517 0x0000560aa80e7da2 in main (argc=2, argv=0x7fff5f15e7b8, envp=0x7fff5f15e7d0) at isisd/isis_main.c:273 Fixes: 7b36d36 ("isisd: make the SPF code more modular") Signed-off-by: Louis Scalbert <[email protected]>

Fixing the crash: > #0 0x0000560aa80f8e30 in lspdb_const_find (h=<error reading variable: Cannot access memory at address 0x7fff5e95efe8>, item=<error reading variable: Cannot access memory at address 0x7fff5e95efe0>) at ./isisd/isis_lsp.h:64 > #1 0x0000560aa80f8e9d in lspdb_find (h=0x560aaa1ed3b8, item=0x7fff5e95f050) at ./isisd/isis_lsp.h:64 > #2 0x0000560aa80f92f9 in lsp_search (head=0x560aaa1ed3b8, id=0x7fff5e95f200 "") at isisd/isis_lsp.c:100 > #3 0x0000560aa8113d69 in spf_adj_list_parse_tlv (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, id=0x560aad331a78 "", desig_is_id=0x0, pseudo_metric=0, metric=3, oldmetric=false, subtlvs=0x0) at isisd/isis_spf.c:1330 > #4 0x0000560aa811419d in spf_adj_list_parse_lsp (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, lsp=0x560aaa1f4e50, pseudo_nodeid=0x0, pseudo_metric=0) at isisd/isis_spf.c:1429 > #5 0x0000560aa81141fe in spf_adj_list_parse_lsp (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, lsp=0x560aaa1ff8e0, pseudo_nodeid=0x0, pseudo_metric=0) at isisd/isis_spf.c:1442 > #6 0x0000560aa81141fe in spf_adj_list_parse_lsp (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, lsp=0x560aaa1f4e50, pseudo_nodeid=0x0, pseudo_metric=0) at isisd/isis_spf.c:1442 > (...) > #65507 0x0000560aa81141fe in spf_adj_list_parse_lsp (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, lsp=0x560aaa1ff8e0, pseudo_nodeid=0x0, pseudo_metric=0) at isisd/isis_spf.c:1442 > #65508 0x0000560aa81141fe in spf_adj_list_parse_lsp (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, lsp=0x560aaa1f4e50, pseudo_nodeid=0x0, pseudo_metric=0) at isisd/isis_spf.c:1442 > #65509 0x0000560aa81141fe in spf_adj_list_parse_lsp (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, lsp=0x560aaa1ff8e0, pseudo_nodeid=0x0, pseudo_metric=0) at isisd/isis_spf.c:1442 > #65510 0x0000560aa81141fe in spf_adj_list_parse_lsp (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, lsp=0x560aaa1f4e50, pseudo_nodeid=0x0, pseudo_metric=0) at isisd/isis_spf.c:1442 > #65511 0x0000560aa8114313 in isis_spf_build_adj_list (spftree=0x560aaa1f09d0, lsp=0x560aaa1f4e50) at isisd/isis_spf.c:1455 > #65512 0x0000560aa8114f09 in isis_run_spf (spftree=0x560aaa1f09d0) at isisd/isis_spf.c:1775 > #65513 0x0000560aa8115057 in isis_run_spf_with_protection (area=0x560aaa1ed3b0, spftree=0x560aaa1f09d0) at isisd/isis_spf.c:1801 > #65514 0x0000560aa8115311 in isis_run_spf_cb (thread=0x7fff5f15e5a0) at isisd/isis_spf.c:1859 > #65515 0x00007f90bac66dcc in thread_call (thread=0x7fff5f15e5a0) at lib/thread.c:2002 > #65516 0x00007f90bac013ee in frr_run (master=0x560aa9f5cb40) at lib/libfrr.c:1196 > #65517 0x0000560aa80e7da2 in main (argc=2, argv=0x7fff5f15e7b8, envp=0x7fff5f15e7d0) at isisd/isis_main.c:273 The fix is similar to the crash fix included in d9884a7 ("isisd: Prepare IS-IS for Link State support"). The fix was: > diff --git a/isisd/isis_lsp.c b/isisd/isis_lsp.c > index 94353a5..92d329f 100644 > --- a/isisd/isis_lsp.c > +++ b/isisd/isis_lsp.c > @@ -2166,7 +2178,7 @@ int isis_lsp_iterate_ip_reach(struct isis_lsp *lsp, int family, uint16_t mtid, > if (lsp->hdr.seqno == 0 || lsp->hdr.rem_lifetime == 0) > return LSP_ITER_CONTINUE; > > - /* Parse main LSP. */ > + /* Parse LSP */ > if (lsp->tlvs) { > if (!fabricd && !pseudo_lsp && family == AF_INET > && mtid == ISIS_MT_IPV4_UNICAST) { > @@ -2236,13 +2248,17 @@ int isis_lsp_iterate_ip_reach(struct isis_lsp *lsp, int family, uint16_t mtid, > } > } > > - /* Parse LSP fragments. */ > - for (ALL_LIST_ELEMENTS_RO(lsp->lspu.frags, node, frag)) { > - if (!frag->tlvs) > - continue; > + /* Parse LSP fragments if it is not a fragment itself */ > + if (!LSP_FRAGMENT(lsp->hdr.lsp_id)) > + for (ALL_LIST_ELEMENTS_RO(lsp->lspu.frags, node, frag)) { > + if (!frag->tlvs) > + continue; > > - isis_lsp_iterate_ip_reach(frag, family, mtid, cb, arg); > - } > + if (isis_lsp_iterate_ip_reach(frag, family, mtid, cb, > + arg) > + == LSP_ITER_STOP) > + return LSP_ITER_STOP; > + } > > return LSP_ITER_CONTINUE; > } Fixes: 7b36d36 ("isisd: make the SPF code more modular") Fixes: 5e56a50 ("isisd: fix infinite loop when parsing LSPs") Signed-off-by: Louis Scalbert <[email protected]>

Fixing the crash: > #0 0x0000560aa80f8e30 in lspdb_const_find (h=<error reading variable: Cannot access memory at address 0x7fff5e95efe8>, item=<error reading variable: Cannot access memory at address 0x7fff5e95efe0>) at ./isisd/isis_lsp.h:64 > #1 0x0000560aa80f8e9d in lspdb_find (h=0x560aaa1ed3b8, item=0x7fff5e95f050) at ./isisd/isis_lsp.h:64 > #2 0x0000560aa80f92f9 in lsp_search (head=0x560aaa1ed3b8, id=0x7fff5e95f200 "") at isisd/isis_lsp.c:100 > #3 0x0000560aa8113d69 in spf_adj_list_parse_tlv (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, id=0x560aad331a78 "", desig_is_id=0x0, pseudo_metric=0, metric=3, oldmetric=false, subtlvs=0x0) at isisd/isis_spf.c:1330 > #4 0x0000560aa811419d in spf_adj_list_parse_lsp (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, lsp=0x560aaa1f4e50, pseudo_nodeid=0x0, pseudo_metric=0) at isisd/isis_spf.c:1429 > #5 0x0000560aa81141fe in spf_adj_list_parse_lsp (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, lsp=0x560aaa1ff8e0, pseudo_nodeid=0x0, pseudo_metric=0) at isisd/isis_spf.c:1442 > #6 0x0000560aa81141fe in spf_adj_list_parse_lsp (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, lsp=0x560aaa1f4e50, pseudo_nodeid=0x0, pseudo_metric=0) at isisd/isis_spf.c:1442 > (...) > #65507 0x0000560aa81141fe in spf_adj_list_parse_lsp (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, lsp=0x560aaa1ff8e0, pseudo_nodeid=0x0, pseudo_metric=0) at isisd/isis_spf.c:1442 > #65508 0x0000560aa81141fe in spf_adj_list_parse_lsp (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, lsp=0x560aaa1f4e50, pseudo_nodeid=0x0, pseudo_metric=0) at isisd/isis_spf.c:1442 > #65509 0x0000560aa81141fe in spf_adj_list_parse_lsp (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, lsp=0x560aaa1ff8e0, pseudo_nodeid=0x0, pseudo_metric=0) at isisd/isis_spf.c:1442 > #65510 0x0000560aa81141fe in spf_adj_list_parse_lsp (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, lsp=0x560aaa1f4e50, pseudo_nodeid=0x0, pseudo_metric=0) at isisd/isis_spf.c:1442 > #65511 0x0000560aa8114313 in isis_spf_build_adj_list (spftree=0x560aaa1f09d0, lsp=0x560aaa1f4e50) at isisd/isis_spf.c:1455 > #65512 0x0000560aa8114f09 in isis_run_spf (spftree=0x560aaa1f09d0) at isisd/isis_spf.c:1775 > #65513 0x0000560aa8115057 in isis_run_spf_with_protection (area=0x560aaa1ed3b0, spftree=0x560aaa1f09d0) at isisd/isis_spf.c:1801 > #65514 0x0000560aa8115311 in isis_run_spf_cb (thread=0x7fff5f15e5a0) at isisd/isis_spf.c:1859 > #65515 0x00007f90bac66dcc in thread_call (thread=0x7fff5f15e5a0) at lib/thread.c:2002 > #65516 0x00007f90bac013ee in frr_run (master=0x560aa9f5cb40) at lib/libfrr.c:1196 > #65517 0x0000560aa80e7da2 in main (argc=2, argv=0x7fff5f15e7b8, envp=0x7fff5f15e7d0) at isisd/isis_main.c:273 The fix is similar to the crash fix included in d9884a7 ("isisd: Prepare IS-IS for Link State support"). The fix was: > diff --git a/isisd/isis_lsp.c b/isisd/isis_lsp.c > index 94353a5..92d329f 100644 > --- a/isisd/isis_lsp.c > +++ b/isisd/isis_lsp.c > @@ -2166,7 +2178,7 @@ int isis_lsp_iterate_ip_reach(struct isis_lsp *lsp, int family, uint16_t mtid, > if (lsp->hdr.seqno == 0 || lsp->hdr.rem_lifetime == 0) > return LSP_ITER_CONTINUE; > > - /* Parse main LSP. */ > + /* Parse LSP */ > if (lsp->tlvs) { > if (!fabricd && !pseudo_lsp && family == AF_INET > && mtid == ISIS_MT_IPV4_UNICAST) { > @@ -2236,13 +2248,17 @@ int isis_lsp_iterate_ip_reach(struct isis_lsp *lsp, int family, uint16_t mtid, > } > } > > - /* Parse LSP fragments. */ > - for (ALL_LIST_ELEMENTS_RO(lsp->lspu.frags, node, frag)) { > - if (!frag->tlvs) > - continue; > + /* Parse LSP fragments if it is not a fragment itself */ > + if (!LSP_FRAGMENT(lsp->hdr.lsp_id)) > + for (ALL_LIST_ELEMENTS_RO(lsp->lspu.frags, node, frag)) { > + if (!frag->tlvs) > + continue; > > - isis_lsp_iterate_ip_reach(frag, family, mtid, cb, arg); > - } > + if (isis_lsp_iterate_ip_reach(frag, family, mtid, cb, > + arg) > + == LSP_ITER_STOP) > + return LSP_ITER_STOP; > + } > > return LSP_ITER_CONTINUE; > } Fixes: 7b36d36 ("isisd: make the SPF code more modular") Fixes: 5e56a50 ("isisd: fix infinite loop when parsing LSPs") Signed-off-by: Louis Scalbert <[email protected]> (cherry picked from commit 8c8a5a0)

Config data was being freed just prior to it being used for cleanup in shutdown. Prevent this from happening. ./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-================================================================= ./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142:==2274142==ERROR: AddressSanitizer: heap-use-after-free on address 0x61d00000c880 at pc 0x0000004d94d1 bp 0x7ffd46637810 sp 0 x7ffd46637808 ./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-READ of size 4 at 0x61d00000c880 thread T0 ./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142- #0 0x4d94d0 in ldp_rtr_id_get /home/sharpd/frr8/ldpd/ldpd.c:983:20 ./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142- #1 0x56ff92 in gen_ldp_hdr /home/sharpd/frr8/ldpd/packet.c:47:19 ./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142- #2 0x56a4b0 in send_notification_full /home/sharpd/frr8/ldpd/notification.c:49:9 ./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142- #3 0x56c4b3 in send_notification /home/sharpd/frr8/ldpd/notification.c:117:2 ./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142- #4 0x573fb7 in session_shutdown /home/sharpd/frr8/ldpd/packet.c:666:3 ./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142- #5 0x4e2ef1 in adj_del /home/sharpd/frr8/ldpd/adjacency.c:145:3 ./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142- #6 0x55d425 in ldpe_shutdown /home/sharpd/frr8/ldpd/ldpe.c:231:3 ./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142- #7 0x55a9a0 in ldpe_dispatch_main /home/sharpd/frr8/ldpd/ldpe.c:631:3 ./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142- #8 0x7f0c00c035e6 in thread_call /home/sharpd/frr8/lib/thread.c:2006:2 ./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142- #9 0x5586f2 in ldpe /home/sharpd/frr8/ldpd/ldpe.c:138:3 ./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142- #10 0x4d46d2 in main /home/sharpd/frr8/ldpd/ldpd.c:339:3 ./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142- #11 0x7f0c00476d09 in __libc_start_main csu/../csu/libc-start.c:308:16 ./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142- #12 0x429cb9 in _start (/usr/lib/frr/ldpd+0x429cb9) ./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142- ./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-0x61d00000c880 is located 0 bytes inside of 2008-byte region [0x61d00000c880,0x61d00000d058) ./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-freed by thread T0 here: ./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142- #0 0x4a3aad in free (/usr/lib/frr/ldpd+0x4a3aad) ./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142- #1 0x4de6c8 in config_clear /home/sharpd/frr8/ldpd/ldpd.c:2001:2 ./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142- #2 0x55d12d in ldpe_shutdown /home/sharpd/frr8/ldpd/ldpe.c:211:2 ./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142- #3 0x55a9a0 in ldpe_dispatch_main /home/sharpd/frr8/ldpd/ldpe.c:631:3 ./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142- #4 0x7f0c00c035e6 in thread_call /home/sharpd/frr8/lib/thread.c:2006:2 ./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142- #5 0x5586f2 in ldpe /home/sharpd/frr8/ldpd/ldpe.c:138:3 ./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142- #6 0x4d46d2 in main /home/sharpd/frr8/ldpd/ldpd.c:339:3 ./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142- #7 0x7f0c00476d09 in __libc_start_main csu/../csu/libc-start.c:308:16 ./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142- ./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-previously allocated by thread T0 here: ./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142- #0 0x4a3ea2 in calloc (/usr/lib/frr/ldpd+0x4a3ea2) ./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142- #1 0x4d6146 in config_new_empty /home/sharpd/frr8/ldpd/ldpd.c:1967:10 ./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142- #2 0x558678 in ldpe /home/sharpd/frr8/ldpd/ldpe.c:134:11 -- ./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142- #4 0x7f0c00476d09 in __libc_start_main csu/../csu/libc-start.c:308:16 Signed-off-by: Donald Sharp <[email protected]>

On shutdown a use after free was being seen of a route table. Basically the pointer was kept around and resent for cleanup. Probably something needs to be unwound to make this better in the future. Just cleaning up the use after free. ./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929-================================================================= ./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929:==911929==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000127a00 at pc 0x7fb9ad546f5b bp 0x7ffc3cff0330 sp 0x7ffc3 cff0328 ./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929-READ of size 8 at 0x606000127a00 thread T0 ./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929- #0 0x7fb9ad546f5a in route_table_free /home/sharpd/frr8/lib/table.c:103:13 ./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929- #1 0x7fb9ad546f04 in route_table_finish /home/sharpd/frr8/lib/table.c:61:2 ./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929- #2 0x6b94ba in zebra_ns_disable_internal /home/sharpd/frr8/zebra/zebra_ns.c:141:2 ./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929- #3 0x6b9158 in zebra_ns_disabled /home/sharpd/frr8/zebra/zebra_ns.c:116:9 ./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929- #4 0x7fb9ad43f0f5 in ns_disable_internal /home/sharpd/frr8/lib/netns_linux.c:273:4 ./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929- #5 0x7fb9ad43e634 in ns_disable /home/sharpd/frr8/lib/netns_linux.c:368:2 ./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929- #6 0x7fb9ad43e251 in ns_delete /home/sharpd/frr8/lib/netns_linux.c:330:2 ./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929- #7 0x7fb9ad43fbb3 in ns_terminate /home/sharpd/frr8/lib/netns_linux.c:524:3 ./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929- #8 0x54f8de in zebra_finalize /home/sharpd/frr8/zebra/main.c:232:2 ./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929- #9 0x7fb9ad5655e6 in thread_call /home/sharpd/frr8/lib/thread.c:2006:2 ./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929- #10 0x7fb9ad3d3343 in frr_run /home/sharpd/frr8/lib/libfrr.c:1198:3 ./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929- #11 0x550b48 in main /home/sharpd/frr8/zebra/main.c:476:2 ./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929- #12 0x7fb9acd30d09 in __libc_start_main csu/../csu/libc-start.c:308:16 ./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929- #13 0x443549 in _start (/usr/lib/frr/zebra+0x443549) ./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929- ./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929-0x606000127a00 is located 0 bytes inside of 56-byte region [0x606000127a00,0x606000127a38) ./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929-freed by thread T0 here: ./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929- #0 0x4bd33d in free (/usr/lib/frr/zebra+0x4bd33d) ./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929- #1 0x7fb9ad42cc80 in qfree /home/sharpd/frr8/lib/memory.c:141:2 ./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929- #2 0x7fb9ad547305 in route_table_free /home/sharpd/frr8/lib/table.c:141:2 ./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929- #3 0x7fb9ad546f04 in route_table_finish /home/sharpd/frr8/lib/table.c:61:2 ./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929- #4 0x6b94ba in zebra_ns_disable_internal /home/sharpd/frr8/zebra/zebra_ns.c:141:2 ./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929- #5 0x6b9692 in zebra_ns_early_shutdown /home/sharpd/frr8/zebra/zebra_ns.c:164:2 ./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929- #6 0x7fb9ad43f228 in ns_walk_func /home/sharpd/frr8/lib/netns_linux.c:386:9 ./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929- #7 0x55014f in sigint /home/sharpd/frr8/zebra/main.c:194:2 ./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929- #8 0x7fb9ad50db99 in frr_sigevent_process /home/sharpd/frr8/lib/sigevent.c:130:6 ./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929- #9 0x7fb9ad560d07 in thread_fetch /home/sharpd/frr8/lib/thread.c:1775:4 ./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929- #10 0x7fb9ad3d332d in frr_run /home/sharpd/frr8/lib/libfrr.c:1197:9 ./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929- #11 0x550b48 in main /home/sharpd/frr8/zebra/main.c:476:2 -- ./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929- #7 0x7fb9acd30d09 in __libc_start_main csu/../csu/libc-start.c:308:16 ./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929- Signed-off-by: Donald Sharp <[email protected]>

When changing the peers sockunion structure the bgp->peer list was not being updated properly. Since the peer's su is being used for a sorted insert then the change of it requires that the value be pulled out of the bgp->peer list and then put back into as well. Additionally ensure that the hash is always released on peer deletion. Lead to this from this decode in a address sanitizer run. ================================================================= ==30778==ERROR: AddressSanitizer: heap-use-after-free on address 0x62a0000d8440 at pc 0x7f48c9c5c547 bp 0x7ffcba272cb0 sp 0x7ffcba272ca8 READ of size 2 at 0x62a0000d8440 thread T0 #0 0x7f48c9c5c546 in sockunion_same lib/sockunion.c:425 #1 0x55cfefe3000f in peer_hash_same bgpd/bgpd.c:890 #2 0x7f48c9bde039 in hash_release lib/hash.c:209 #3 0x55cfefe3373f in bgp_peer_conf_if_to_su_update bgpd/bgpd.c:1541 #4 0x55cfefd0be7a in bgp_stop bgpd/bgp_fsm.c:1631 #5 0x55cfefe4028f in peer_delete bgpd/bgpd.c:2362 #6 0x55cfefdd5e97 in no_neighbor_interface_config bgpd/bgp_vty.c:4267 #7 0x7f48c9b9d160 in cmd_execute_command_real lib/command.c:949 #8 0x7f48c9ba1112 in cmd_execute_command lib/command.c:1009 #9 0x7f48c9ba1573 in cmd_execute lib/command.c:1162 #10 0x7f48c9c87402 in vty_command lib/vty.c:526 #11 0x7f48c9c87832 in vty_execute lib/vty.c:1291 #12 0x7f48c9c8e741 in vtysh_read lib/vty.c:2130 #13 0x7f48c9c7a66d in thread_call lib/thread.c:1585 #14 0x7f48c9bf64e7 in frr_run lib/libfrr.c:1123 #15 0x55cfefc75a15 in main bgpd/bgp_main.c:540 #16 0x7f48c96b009a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) #17 0x55cfefc787f9 in _start (/usr/lib/frr/bgpd+0xe27f9) 0x62a0000d8440 is located 576 bytes inside of 23376-byte region [0x62a0000d8200,0x62a0000ddd50) freed by thread T0 here: #0 0x7f48c9eb9fb0 in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0xe8fb0) #1 0x55cfefe3fe42 in peer_free bgpd/bgpd.c:1113 #2 0x55cfefe3fe42 in peer_unlock_with_caller bgpd/bgpd.c:1144 #3 0x55cfefe4092e in peer_delete bgpd/bgpd.c:2457 #4 0x55cfefdd5e97 in no_neighbor_interface_config bgpd/bgp_vty.c:4267 #5 0x7f48c9b9d160 in cmd_execute_command_real lib/command.c:949 #6 0x7f48c9ba1112 in cmd_execute_command lib/command.c:1009 #7 0x7f48c9ba1573 in cmd_execute lib/command.c:1162 #8 0x7f48c9c87402 in vty_command lib/vty.c:526 #9 0x7f48c9c87832 in vty_execute lib/vty.c:1291 #10 0x7f48c9c8e741 in vtysh_read lib/vty.c:2130 #11 0x7f48c9c7a66d in thread_call lib/thread.c:1585 #12 0x7f48c9bf64e7 in frr_run lib/libfrr.c:1123 #13 0x55cfefc75a15 in main bgpd/bgp_main.c:540 #14 0x7f48c96b009a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) Signed-off-by: Donald Sharp <[email protected]>

ASAN reported the following memleak: ``` Direct leak of 40 byte(s) in 1 object(s) allocated from: #0 0x4d4342 in calloc (/usr/lib/frr/bgpd+0x4d4342) #1 0xbc3d68 in qcalloc /home/sharpd/frr8/lib/memory.c:116:27 #2 0xb869f7 in list_new /home/sharpd/frr8/lib/linklist.c:64:9 #3 0x5a38bc in bgp_evpn_remote_ip_hash_alloc /home/sharpd/frr8/bgpd/bgp_evpn.c:6789:24 #4 0xb358d3 in hash_get /home/sharpd/frr8/lib/hash.c:162:13 #5 0x593d39 in bgp_evpn_remote_ip_hash_add /home/sharpd/frr8/bgpd/bgp_evpn.c:6881:7 #6 0x59dbbd in install_evpn_route_entry_in_vni_common /home/sharpd/frr8/bgpd/bgp_evpn.c:3049:2 #7 0x59cfe0 in install_evpn_route_entry_in_vni_ip /home/sharpd/frr8/bgpd/bgp_evpn.c:3126:8 #8 0x59c6f0 in install_evpn_route_entry /home/sharpd/frr8/bgpd/bgp_evpn.c:3318:8 #9 0x59bb52 in install_uninstall_route_in_vnis /home/sharpd/frr8/bgpd/bgp_evpn.c:3888:10 #10 0x59b6d2 in bgp_evpn_install_uninstall_table /home/sharpd/frr8/bgpd/bgp_evpn.c:4019:5 #11 0x578857 in install_uninstall_evpn_route /home/sharpd/frr8/bgpd/bgp_evpn.c:4051:9 #12 0x58ada6 in bgp_evpn_import_route /home/sharpd/frr8/bgpd/bgp_evpn.c:6049:9 #13 0x713794 in bgp_update /home/sharpd/frr8/bgpd/bgp_route.c:4842:3 #14 0x583fa0 in process_type2_route /home/sharpd/frr8/bgpd/bgp_evpn.c:4518:9 #15 0x5824ba in bgp_nlri_parse_evpn /home/sharpd/frr8/bgpd/bgp_evpn.c:5732:8 #16 0x6ae6a2 in bgp_nlri_parse /home/sharpd/frr8/bgpd/bgp_packet.c:363:10 #17 0x6be6fa in bgp_update_receive /home/sharpd/frr8/bgpd/bgp_packet.c:2020:15 #18 0x6b7433 in bgp_process_packet /home/sharpd/frr8/bgpd/bgp_packet.c:2929:11 #19 0xd00146 in thread_call /home/sharpd/frr8/lib/thread.c:2006:2 ``` The list itself was not being cleaned up when the final list entry was removed, so make sure we do that instead of leaking memory. Signed-off-by: Trey Aspelund <[email protected]>

Address Sanitizer found this: ================================================================= ==418623==ERROR: LeakSanitizer: detected memory leaks Direct leak of 128 byte(s) in 4 object(s) allocated from: #0 0x4bd732 in calloc (/usr/lib/frr/zebra+0x4bd732) #1 0x7feaeab8f798 in qcalloc /home/sharpd/frr8/lib/memory.c:116:27 #2 0x7feaeaba40f4 in nexthop_group_new /home/sharpd/frr8/lib/nexthop_group.c:270:9 #3 0x56859b in netlink_route_change_read_unicast /home/sharpd/frr8/zebra/rt_netlink.c:950:9 #4 0x5651c2 in netlink_route_change /home/sharpd/frr8/zebra/rt_netlink.c:1204:2 #5 0x54af15 in netlink_information_fetch /home/sharpd/frr8/zebra/kernel_netlink.c:407:10 #6 0x53e7a3 in netlink_parse_info /home/sharpd/frr8/zebra/kernel_netlink.c:1184:12 #7 0x548d46 in kernel_read /home/sharpd/frr8/zebra/kernel_netlink.c:501:2 #8 0x7feaeacc87f6 in thread_call /home/sharpd/frr8/lib/thread.c:2006:2 #9 0x7feaeab36503 in frr_run /home/sharpd/frr8/lib/libfrr.c:1198:3 #10 0x550d38 in main /home/sharpd/frr8/zebra/main.c:476:2 #11 0x7feaea492d09 in __libc_start_main csu/../csu/libc-start.c:308:16 Indirect leak of 576 byte(s) in 4 object(s) allocated from: #0 0x4bd732 in calloc (/usr/lib/frr/zebra+0x4bd732) #1 0x7feaeab8f798 in qcalloc /home/sharpd/frr8/lib/memory.c:116:27 #2 0x7feaeab9b3f8 in nexthop_new /home/sharpd/frr8/lib/nexthop.c:373:7 #3 0x56875e in netlink_route_change_read_unicast /home/sharpd/frr8/zebra/rt_netlink.c:960:15 #4 0x5651c2 in netlink_route_change /home/sharpd/frr8/zebra/rt_netlink.c:1204:2 #5 0x54af15 in netlink_information_fetch /home/sharpd/frr8/zebra/kernel_netlink.c:407:10 #6 0x53e7a3 in netlink_parse_info /home/sharpd/frr8/zebra/kernel_netlink.c:1184:12 #7 0x548d46 in kernel_read /home/sharpd/frr8/zebra/kernel_netlink.c:501:2 #8 0x7feaeacc87f6 in thread_call /home/sharpd/frr8/lib/thread.c:2006:2 #9 0x7feaeab36503 in frr_run /home/sharpd/frr8/lib/libfrr.c:1198:3 #10 0x550d38 in main /home/sharpd/frr8/zebra/main.c:476:2 #11 0x7feaea492d09 in __libc_start_main csu/../csu/libc-start.c:308:16 SUMMARY: AddressSanitizer: 704 byte(s) leaked in 8 allocation(s). Fix this! Signed-off-by: Donald Sharp <[email protected]>

Fix crash on "show bgp all" when BGP EVPN is set. > #0 raise (sig=11) at ../sysdeps/unix/sysv/linux/raise.c:50 > #1 0x00007fdfe03cf53c in core_handler (signo=11, siginfo=0x7ffdebbffe30, context=0x7ffdebbffd00) at lib/sigevent.c:261 > #2 <signal handler called> > #3 0x00000000004d4fec in bgp_attr_get_community (attr=0x41) at bgpd/bgp_attr.h:553 > #4 0x00000000004eee84 in bgp_show_table (vty=0x1a790d0, bgp=0x19d0a00, safi=SAFI_EVPN, table=0x19f6010, type=bgp_show_type_normal, output_arg=0x0, rd=0x0, is_last=1, output_cum=0x0, > total_cum=0x0, json_header_depth=0x7ffdebc00bf8, show_flags=4, rpki_target_state=RPKI_NOT_BEING_USED) at bgpd/bgp_route.c:11329 > #5 0x00000000004f7765 in bgp_show (vty=0x1a790d0, bgp=0x19d0a00, afi=AFI_L2VPN, safi=SAFI_EVPN, type=bgp_show_type_normal, output_arg=0x0, show_flags=4, > rpki_target_state=RPKI_NOT_BEING_USED) at bgpd/bgp_route.c:11814 > #6 0x00000000004fb53b in show_ip_bgp_magic (self=0x6752b0 <show_ip_bgp_cmd>, vty=0x1a790d0, argc=3, argv=0x19cb050, viewvrfname=0x0, all=0x1395390 "all", aa_nn=0x0, community_list=0, > community_list_str=0x0, community_list_name=0x0, as_path_filter_name=0x0, prefix_list=0x0, accesslist_name=0x0, rmap_name=0x0, version=0, version_str=0x0, alias_name=0x0, > orr_group_name=0x0, detail_routes=0x0, uj=0x0, detail_json=0x0, wide=0x0) at bgpd/bgp_route.c:13040 > #7 0x00000000004fa322 in show_ip_bgp (self=0x6752b0 <show_ip_bgp_cmd>, vty=0x1a790d0, argc=3, argv=0x19cb050) at ./bgpd/bgp_route_clippy.c:519 > #8 0x00007fdfe033ccc8 in cmd_execute_command_real (vline=0x19c9300, filter=FILTER_RELAXED, vty=0x1a790d0, cmd=0x0, up_level=0) at lib/command.c:996 > #9 0x00007fdfe033c739 in cmd_execute_command (vline=0x19c9300, vty=0x1a790d0, cmd=0x0, vtysh=0) at lib/command.c:1056 > #10 0x00007fdfe033cdf5 in cmd_execute (vty=0x1a790d0, cmd=0x19c9eb0 "show bgp all", matched=0x0, vtysh=0) at lib/command.c:1223 > #11 0x00007fdfe03f65c6 in vty_command (vty=0x1a790d0, buf=0x19c9eb0 "show bgp all") at lib/vty.c:486 > #12 0x00007fdfe03f603b in vty_execute (vty=0x1a790d0) at lib/vty.c:1249 > #13 0x00007fdfe03f533b in vtysh_read (thread=0x7ffdebc03838) at lib/vty.c:2148 > #14 0x00007fdfe03e815d in thread_call (thread=0x7ffdebc03838) at lib/thread.c:2006 > #15 0x00007fdfe0379b54 in frr_run (master=0x1246880) at lib/libfrr.c:1198 > #16 0x000000000042b2a8 in main (argc=7, argv=0x7ffdebc03af8) at bgpd/bgp_main.c:520 Link: FRRouting#12576 Signed-off-by: Louis Scalbert <[email protected]>

``` ==58960==ERROR: AddressSanitizer: heap-use-after-free on address 0x6040000707a8 at pc 0x55c24bbcd023 bp 0x7ffdb042d050 sp 0x7ffdb042d040 READ of size 8 at 0x6040000707a8 thread T0 #0 0x55c24bbcd022 in aspath_key_make bgpd/bgp_aspath.c:2070 #1 0x55c24b8f1140 in attrhash_key_make bgpd/bgp_attr.c:777 #2 0x7f52322e66c9 in hash_release lib/hash.c:220 #3 0x55c24b8f6017 in bgp_attr_unintern bgpd/bgp_attr.c:1271 #4 0x55c24ba0acaa in bgp_path_info_free_with_caller bgpd/bgp_route.c:283 #5 0x55c24ba0a7de in bgp_path_info_unlock bgpd/bgp_route.c:309 #6 0x55c24ba0af6d in bgp_path_info_reap bgpd/bgp_route.c:426 #7 0x55c24ba17b9a in bgp_process_main_one bgpd/bgp_route.c:3333 #8 0x55c24ba18a1d in bgp_process_wq bgpd/bgp_route.c:3425 #9 0x7f52323c2cd5 in work_queue_run lib/workqueue.c:282 #10 0x7f52323aab92 in thread_call lib/thread.c:2006 #11 0x7f5232300dc7 in frr_run lib/libfrr.c:1198 #12 0x55c24b8ea792 in main bgpd/bgp_main.c:520 #13 0x7f5231c3a082 in __libc_start_main ../csu/libc-start.c:308 #14 0x55c24b8ef0bd in _start (/usr/lib/frr/bgpd+0x2c90bd) 0x6040000707a8 is located 24 bytes inside of 40-byte region [0x604000070790,0x6040000707b8) freed by thread T0 here: #0 0x7f52326e740f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122 #1 0x55c24bbcc36f in aspath_unintern bgpd/bgp_aspath.c:345 #2 0x55c24b8f56f2 in bgp_attr_unintern_sub bgpd/bgp_attr.c:1204 #3 0x55c24b8f6049 in bgp_attr_unintern bgpd/bgp_attr.c:1277 #4 0x55c24bbc9c1a in bgp_adj_in_remove bgpd/bgp_advertise.c:208 #5 0x55c24ba0b0d4 in bgp_clear_route_table bgpd/bgp_route.c:5553 #6 0x55c24ba1ba57 in bgp_clear_route bgpd/bgp_route.c:5612 #7 0x55c24ba1bedf in bgp_clear_route_all bgpd/bgp_route.c:5634 #8 0x55c24b99c762 in bgp_fsm_change_status bgpd/bgp_fsm.c:1288 #9 0x55c24b9a163d in bgp_event_update bgpd/bgp_fsm.c:2639 #10 0x55c24b9a176b in bgp_event bgpd/bgp_fsm.c:2591 #11 0x7f52323aab92 in thread_call lib/thread.c:2006 #12 0x7f5232300dc7 in frr_run lib/libfrr.c:1198 #13 0x55c24b8ea792 in main bgpd/bgp_main.c:520 #14 0x7f5231c3a082 in __libc_start_main ../csu/libc-start.c:308 previously allocated by thread T0 here: #0 0x7f52326e7808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144 #1 0x7f523231e209 in qmalloc lib/memory.c:111 #2 0x55c24bbcb889 in aspath_hash_alloc bgpd/bgp_aspath.c:728 #3 0x7f52322e5f07 in hash_get lib/hash.c:162 #4 0x55c24bbcd63b in aspath_parse bgpd/bgp_aspath.c:862 #5 0x55c24b8fd48c in bgp_attr_aspath bgpd/bgp_attr.c:1613 #6 0x55c24b8fd48c in bgp_attr_parse bgpd/bgp_attr.c:3656 #7 0x55c24b9e2f22 in bgp_update_receive bgpd/bgp_packet.c:1952 #8 0x55c24b9e9a3f in bgp_process_packet bgpd/bgp_packet.c:2940 #9 0x7f52323aab92 in thread_call lib/thread.c:2006 #10 0x7f5232300dc7 in frr_run lib/libfrr.c:1198 #11 0x55c24b8ea792 in main bgpd/bgp_main.c:520 #12 0x7f5231c3a082 in __libc_start_main ../csu/libc-start.c:308 ``` Signed-off-by: Donatas Abraitis <[email protected]>

After we call subgroup_announce_check(), we leave communities, large-communities that are modified by route-maps uninterned, and here we have a memory leak. ``` ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323:Direct leak of 80 byte(s) in 2 object(s) allocated from: ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- #0 0x7f0858d90037 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- #1 0x7f08589b15b2 in qcalloc lib/memory.c:105 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- #2 0x561f5c4e08d2 in lcommunity_new bgpd/bgp_lcommunity.c:28 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- #3 0x561f5c4e11d9 in lcommunity_dup bgpd/bgp_lcommunity.c:141 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- #4 0x561f5c5c3b8b in route_set_lcommunity bgpd/bgp_routemap.c:2491 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- #5 0x7f0858a177a5 in route_map_apply_ext lib/routemap.c:2675 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- #6 0x561f5c5696f9 in subgroup_announce_check bgpd/bgp_route.c:2352 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- #7 0x561f5c5fb728 in subgroup_announce_table bgpd/bgp_updgrp_adv.c:682 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- #8 0x561f5c5fbd95 in subgroup_announce_route bgpd/bgp_updgrp_adv.c:765 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- #9 0x561f5c5f6105 in peer_af_announce_route bgpd/bgp_updgrp.c:2187 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- #10 0x561f5c5790be in bgp_announce_route_timer_expired bgpd/bgp_route.c:5032 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- #11 0x7f0858a76e4e in thread_call lib/thread.c:1991 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- #12 0x7f0858974c24 in frr_run lib/libfrr.c:1185 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- #13 0x561f5c3e955d in main bgpd/bgp_main.c:505 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- #14 0x7f08583a9d09 in __libc_start_main ../csu/libc-start.c:308 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323:Indirect leak of 144 byte(s) in 2 object(s) allocated from: ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- #0 0x7f0858d8fe8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- #1 0x7f08589b1579 in qmalloc lib/memory.c:100 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- #2 0x561f5c4e1282 in lcommunity_dup bgpd/bgp_lcommunity.c:144 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- #3 0x561f5c5c3b8b in route_set_lcommunity bgpd/bgp_routemap.c:2491 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- #4 0x7f0858a177a5 in route_map_apply_ext lib/routemap.c:2675 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- #5 0x561f5c5696f9 in subgroup_announce_check bgpd/bgp_route.c:2352 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- #6 0x561f5c5fb728 in subgroup_announce_table bgpd/bgp_updgrp_adv.c:682 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- #7 0x561f5c5fbd95 in subgroup_announce_route bgpd/bgp_updgrp_adv.c:765 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- #8 0x561f5c5f6105 in peer_af_announce_route bgpd/bgp_updgrp.c:2187 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- #9 0x561f5c5790be in bgp_announce_route_timer_expired bgpd/bgp_route.c:5032 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- #10 0x7f0858a76e4e in thread_call lib/thread.c:1991 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- #11 0x7f0858974c24 in frr_run lib/libfrr.c:1185 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- #12 0x561f5c3e955d in main bgpd/bgp_main.c:505 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- #13 0x7f08583a9d09 in __libc_start_main ../csu/libc-start.c:308 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323-SUMMARY: AddressSanitizer: 224 byte(s) leaked in 4 allocation(s). ``` Signed-off-by: Donatas Abraitis <[email protected]>

Prevent a use after free and tell the bfd subsystem we are shutting down in staticd. ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460:==2264460==ERROR: AddressSanitizer: heap-use-after-free on address 0x61f000004698 at pc 0x7f65d1eb11b2 bp 0x7ffdbface490 sp 0x7ffdbface488 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460-READ of size 4 at 0x61f000004698 thread T0 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- #0 0x7f65d1eb11b1 in zclient_bfd_command lib/bfd.c:307 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- #1 0x7f65d1eb20f5 in _bfd_sess_send lib/bfd.c:507 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- #2 0x7f65d20510aa in thread_call lib/thread.c:1989 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- #3 0x7f65d2051f0a in _thread_execute lib/thread.c:2081 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- #4 0x7f65d1eb271b in _bfd_sess_remove lib/bfd.c:544 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- #5 0x7f65d1eb278d in bfd_sess_free lib/bfd.c:553 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- #6 0x7f65d1eb5400 in bfd_protocol_integration_finish lib/bfd.c:1029 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- #7 0x7f65d1f42f77 in hook_call_frr_fini lib/libfrr.c:41 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- #8 0x7f65d1f494a1 in frr_fini lib/libfrr.c:1199 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- #9 0x563b7abefd76 in sigint staticd/static_main.c:70 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- #10 0x7f65d200ef91 in frr_sigevent_process lib/sigevent.c:115 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- #11 0x7f65d204fac6 in thread_fetch lib/thread.c:1758 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- #12 0x7f65d1f49377 in frr_run lib/libfrr.c:1184 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- #13 0x563b7abefed1 in main staticd/static_main.c:160 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- #14 0x7f65d1b92d09 in __libc_start_main ../csu/libc-start.c:308 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- #15 0x563b7abefa99 in _start (/usr/lib/frr/staticd+0x15a99) ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- Signed-off-by: Donald Sharp <[email protected]>

Prevent a use after free and tell the bfd subsystem we are shutting down in staticd. ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460:==2264460==ERROR: AddressSanitizer: heap-use-after-free on address 0x61f000004698 at pc 0x7f65d1eb11b2 bp 0x7ffdbface490 sp 0x7ffdbface488 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460-READ of size 4 at 0x61f000004698 thread T0 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- #0 0x7f65d1eb11b1 in zclient_bfd_command lib/bfd.c:307 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- #1 0x7f65d1eb20f5 in _bfd_sess_send lib/bfd.c:507 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- #2 0x7f65d20510aa in thread_call lib/thread.c:1989 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- #3 0x7f65d2051f0a in _thread_execute lib/thread.c:2081 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- #4 0x7f65d1eb271b in _bfd_sess_remove lib/bfd.c:544 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- #5 0x7f65d1eb278d in bfd_sess_free lib/bfd.c:553 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- #6 0x7f65d1eb5400 in bfd_protocol_integration_finish lib/bfd.c:1029 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- #7 0x7f65d1f42f77 in hook_call_frr_fini lib/libfrr.c:41 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- #8 0x7f65d1f494a1 in frr_fini lib/libfrr.c:1199 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- #9 0x563b7abefd76 in sigint staticd/static_main.c:70 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- #10 0x7f65d200ef91 in frr_sigevent_process lib/sigevent.c:115 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- #11 0x7f65d204fac6 in thread_fetch lib/thread.c:1758 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- #12 0x7f65d1f49377 in frr_run lib/libfrr.c:1184 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- #13 0x563b7abefed1 in main staticd/static_main.c:160 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- #14 0x7f65d1b92d09 in __libc_start_main ../csu/libc-start.c:308 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- #15 0x563b7abefa99 in _start (/usr/lib/frr/staticd+0x15a99) ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- Signed-off-by: Donald Sharp <[email protected]> (cherry picked from commit 7a185ac)

Memory leaks are observed in the cleanup code. When “no router bgp" is executed, cleanup in that flow for aggregate-address command is not taken care. fixes the below leak: -- ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444:Direct leak of 152 byte(s) in 1 object(s) allocated from: ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #0 0x7f163e911037 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #1 0x7f163e4b9259 in qcalloc lib/memory.c:105 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #2 0x562bf42ebbd5 in bgp_aggregate_new bgpd/bgp_route.c:7239 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #3 0x562bf42f14e8 in bgp_aggregate_set bgpd/bgp_route.c:8421 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #4 0x562bf42f1e55 in aggregate_addressv6_magic bgpd/bgp_route.c:8592 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #5 0x562bf42be3f5 in aggregate_addressv6 bgpd/bgp_route_clippy.c:341 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #6 0x7f163e3f1e1b in cmd_execute_command_real lib/command.c:988 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #7 0x7f163e3f219c in cmd_execute_command lib/command.c:1048 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #8 0x7f163e3f2df4 in cmd_execute lib/command.c:1215 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #9 0x7f163e5a2d73 in vty_command lib/vty.c:544 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #10 0x7f163e5a79c8 in vty_execute lib/vty.c:1307 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #11 0x7f163e5ad299 in vtysh_read lib/vty.c:2216 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #12 0x7f163e593f16 in event_call lib/event.c:1995 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #13 0x7f163e47c839 in frr_run lib/libfrr.c:1185 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #14 0x562bf414e58d in main bgpd/bgp_main.c:505 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #15 0x7f163de66d09 in __libc_start_main ../csu/libc-start.c:308 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444:Direct leak of 152 byte(s) in 1 object(s) allocated from: ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #0 0x7f163e911037 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #1 0x7f163e4b9259 in qcalloc lib/memory.c:105 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #2 0x562bf42ebbd5 in bgp_aggregate_new bgpd/bgp_route.c:7239 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #3 0x562bf42f14e8 in bgp_aggregate_set bgpd/bgp_route.c:8421 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #4 0x562bf42f1cde in aggregate_addressv4_magic bgpd/bgp_route.c:8543 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #5 0x562bf42bd258 in aggregate_addressv4 bgpd/bgp_route_clippy.c:255 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #6 0x7f163e3f1e1b in cmd_execute_command_real lib/command.c:988 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #7 0x7f163e3f219c in cmd_execute_command lib/command.c:1048 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #8 0x7f163e3f2df4 in cmd_execute lib/command.c:1215 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #9 0x7f163e5a2d73 in vty_command lib/vty.c:544 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #10 0x7f163e5a79c8 in vty_execute lib/vty.c:1307 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #11 0x7f163e5ad299 in vtysh_read lib/vty.c:2216 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #12 0x7f163e593f16 in event_call lib/event.c:1995 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #13 0x7f163e47c839 in frr_run lib/libfrr.c:1185 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #14 0x562bf414e58d in main bgpd/bgp_main.c:505 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #15 0x7f163de66d09 in __libc_start_main ../csu/libc-start.c:308 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444-SUMMARY: AddressSanitizer: 304 byte(s) leaked in 2 allocation(s). Signed-off-by: Samanvitha B Bhargav <[email protected]>

Memory leaks are observed in the cleanup code. When “no router bgp" is executed, cleanup in that flow for aggregate-address command is not taken care. fixes the below leak: -- ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444:Direct leak of 152 byte(s) in 1 object(s) allocated from: ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #0 0x7f163e911037 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #1 0x7f163e4b9259 in qcalloc lib/memory.c:105 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #2 0x562bf42ebbd5 in bgp_aggregate_new bgpd/bgp_route.c:7239 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #3 0x562bf42f14e8 in bgp_aggregate_set bgpd/bgp_route.c:8421 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #4 0x562bf42f1e55 in aggregate_addressv6_magic bgpd/bgp_route.c:8592 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #5 0x562bf42be3f5 in aggregate_addressv6 bgpd/bgp_route_clippy.c:341 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #6 0x7f163e3f1e1b in cmd_execute_command_real lib/command.c:988 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #7 0x7f163e3f219c in cmd_execute_command lib/command.c:1048 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #8 0x7f163e3f2df4 in cmd_execute lib/command.c:1215 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #9 0x7f163e5a2d73 in vty_command lib/vty.c:544 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #10 0x7f163e5a79c8 in vty_execute lib/vty.c:1307 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #11 0x7f163e5ad299 in vtysh_read lib/vty.c:2216 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #12 0x7f163e593f16 in event_call lib/event.c:1995 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #13 0x7f163e47c839 in frr_run lib/libfrr.c:1185 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #14 0x562bf414e58d in main bgpd/bgp_main.c:505 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #15 0x7f163de66d09 in __libc_start_main ../csu/libc-start.c:308 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444:Direct leak of 152 byte(s) in 1 object(s) allocated from: ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #0 0x7f163e911037 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #1 0x7f163e4b9259 in qcalloc lib/memory.c:105 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #2 0x562bf42ebbd5 in bgp_aggregate_new bgpd/bgp_route.c:7239 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #3 0x562bf42f14e8 in bgp_aggregate_set bgpd/bgp_route.c:8421 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #4 0x562bf42f1cde in aggregate_addressv4_magic bgpd/bgp_route.c:8543 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #5 0x562bf42bd258 in aggregate_addressv4 bgpd/bgp_route_clippy.c:255 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #6 0x7f163e3f1e1b in cmd_execute_command_real lib/command.c:988 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #7 0x7f163e3f219c in cmd_execute_command lib/command.c:1048 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #8 0x7f163e3f2df4 in cmd_execute lib/command.c:1215 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #9 0x7f163e5a2d73 in vty_command lib/vty.c:544 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #10 0x7f163e5a79c8 in vty_execute lib/vty.c:1307 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #11 0x7f163e5ad299 in vtysh_read lib/vty.c:2216 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #12 0x7f163e593f16 in event_call lib/event.c:1995 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #13 0x7f163e47c839 in frr_run lib/libfrr.c:1185 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #14 0x562bf414e58d in main bgpd/bgp_main.c:505 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #15 0x7f163de66d09 in __libc_start_main ../csu/libc-start.c:308 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444-SUMMARY: AddressSanitizer: 304 byte(s) leaked in 2 allocation(s). Signed-off-by: Samanvitha B Bhargav <[email protected]> (cherry picked from commit 7a70d99) Signed-off-by: Donatas Abraitis <[email protected]>

``` ==5445==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7ff4c6bedb19 bp 0x7ffc95f2e400 sp 0x7ffc95f2e3c0 T0) ==5445==The signal is caused by a READ memory access. ==5445==Hint: address points to the zero page. #0 0x7ff4c6bedb19 in hash_iterate lib/hash.c:246 #1 0x5618f41f5f59 in bgp_evpn_nh_finish bgpd/bgp_evpn_mh.c:4663 #2 0x5618f41dcbe8 in bgp_evpn_vrf_delete bgpd/bgp_evpn.c:7336 #3 0x5618f43bdd35 in bgp_delete bgpd/bgpd.c:4098 #4 0x5618f417ef6e in bgp_exit bgpd/bgp_main.c:206 #5 0x5618f417ef6e in sigint bgpd/bgp_main.c:164 #6 0x7ff4c6cac6c4 in frr_sigevent_process lib/sigevent.c:117 #7 0x7ff4c6cd8258 in event_fetch lib/event.c:1767 #8 0x7ff4c6c0dcbc in frr_run lib/libfrr.c:1230 #9 0x5618f418080d in main bgpd/bgp_main.c:555 #10 0x7ff4c670c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #11 0x7ff4c670c304 in __libc_start_main_impl ../csu/libc-start.c:360 #12 0x5618f417ea20 in _start (/usr/lib/frr/bgpd+0x2e4a20) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV lib/hash.c:246 in hash_iterate ``` Signed-off-by: Donatas Abraitis <[email protected]>

``` ERROR: AddressSanitizer: heap-use-after-free on address 0x6160000aecf0 at pc 0x5555557ecdb9 bp 0x7fffffffe350 sp 0x7fffffffe340 READ of size 4 at 0x6160000aecf0 thread T0 #0 0x5555557ecdb8 in igmp_source_delete pimd/pim_igmpv3.c:340 #1 0x5555557ed475 in igmp_source_delete_expired pimd/pim_igmpv3.c:405 #2 0x5555557de574 in igmp_group_timer pimd/pim_igmp.c:1346 #3 0x7ffff7275421 in event_call lib/event.c:1996 #4 0x7ffff7140797 in frr_run lib/libfrr.c:1237 #5 0x5555557f5840 in main pimd/pim_main.c:166 #6 0x7ffff6a54082 in __libc_start_main ../csu/libc-start.c:308 #7 0x555555686eed in _start (/usr/lib/frr/pimd+0x132eed) 0x6160000aecf0 is located 112 bytes inside of 600-byte region [0x6160000aec80,0x6160000aeed8) freed by thread T0 here: #0 0x7ffff767b40f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122 #1 0x7ffff716ed34 in qfree lib/memory.c:131 #2 0x5555557169ae in pim_channel_oil_free pimd/pim_oil.c:84 #3 0x555555717981 in pim_channel_oil_del pimd/pim_oil.c:199 #4 0x55555573c42c in tib_sg_gm_prune pimd/pim_tib.c:196 #5 0x5555557d6d04 in igmp_source_forward_stop pimd/pim_igmp.c:229 #6 0x5555557d5855 in igmp_anysource_forward_stop pimd/pim_igmp.c:61 #7 0x5555557de539 in igmp_group_timer pimd/pim_igmp.c:1344 #8 0x7ffff7275421 in event_call lib/event.c:1996 #9 0x7ffff7140797 in frr_run lib/libfrr.c:1237 #10 0x5555557f5840 in main pimd/pim_main.c:166 #11 0x7ffff6a54082 in __libc_start_main ../csu/libc-start.c:308 previously allocated by thread T0 here: #0 0x7ffff767ba06 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153 #1 0x7ffff716ebe1 in qcalloc lib/memory.c:106 #2 0x555555716eb7 in pim_channel_oil_add pimd/pim_oil.c:133 #3 0x55555573b2b9 in tib_sg_oil_setup pimd/pim_tib.c:30 #4 0x55555573bdd3 in tib_sg_gm_join pimd/pim_tib.c:119 #5 0x5555557d6788 in igmp_source_forward_start pimd/pim_igmp.c:193 #6 0x5555557d5771 in igmp_anysource_forward_start pimd/pim_igmp.c:51 #7 0x5555557ecaa0 in group_exclude_fwd_anysrc_ifempty pimd/pim_igmpv3.c:310 #8 0x5555557ef937 in toex_incl pimd/pim_igmpv3.c:839 #9 0x5555557f00a2 in igmpv3_report_toex pimd/pim_igmpv3.c:938 #10 0x5555557f543d in igmp_v3_recv_report pimd/pim_igmpv3.c:2000 #11 0x5555557da2b4 in pim_igmp_packet pimd/pim_igmp.c:787 #12 0x5555556ee46a in process_igmp_packet pimd/pim_mroute.c:763 #13 0x5555556ee5f3 in pim_mroute_msg pimd/pim_mroute.c:787 #14 0x5555556eef58 in mroute_read pimd/pim_mroute.c:877 #15 0x7ffff7275421 in event_call lib/event.c:1996 #16 0x7ffff7140797 in frr_run lib/libfrr.c:1237 #17 0x5555557f5840 in main pimd/pim_main.c:166 #18 0x7ffff6a54082 in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: heap-use-after-free pimd/pim_igmpv3.c:340 in igmp_source_delete Shadow bytes around the buggy address: 0x0c2c8000dd40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2c8000dd50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2c8000dd60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2c8000dd70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2c8000dd80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c2c8000dd90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd 0x0c2c8000dda0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2c8000ddb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2c8000ddc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2c8000ddd0: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa 0x0c2c8000dde0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ``` Signed-off-by: Jafar Al-Gharaibeh <[email protected]>

The following ASAN issue has been observed: > ERROR: AddressSanitizer: heap-use-after-free on address 0x6160000acba4 at pc 0x55910c5694d0 bp 0x7ffe3a8ac850 sp 0x7ffe3a8ac840 > READ of size 4 at 0x6160000acba4 thread T0 > #0 0x55910c5694cf in ctx_info_from_zns zebra/zebra_dplane.c:3315 > #1 0x55910c569696 in dplane_ctx_ns_init zebra/zebra_dplane.c:3331 > #2 0x55910c56bf61 in dplane_ctx_nexthop_init zebra/zebra_dplane.c:3680 > #3 0x55910c5711ca in dplane_nexthop_update_internal zebra/zebra_dplane.c:4490 > #4 0x55910c571c5c in dplane_nexthop_delete zebra/zebra_dplane.c:4717 > #5 0x55910c61e90e in zebra_nhg_uninstall_kernel zebra/zebra_nhg.c:3413 > #6 0x55910c615d8a in zebra_nhg_decrement_ref zebra/zebra_nhg.c:1919 > #7 0x55910c6404db in route_entry_update_nhe zebra/zebra_rib.c:454 > #8 0x55910c64c904 in rib_re_nhg_free zebra/zebra_rib.c:2822 > #9 0x55910c655be2 in rib_unlink zebra/zebra_rib.c:4212 > #10 0x55910c6430f9 in zebra_rtable_node_cleanup zebra/zebra_rib.c:968 > #11 0x7f26f275b8a9 in route_node_free lib/table.c:75 > #12 0x7f26f275bae4 in route_table_free lib/table.c:111 > #13 0x7f26f275b749 in route_table_finish lib/table.c:46 > #14 0x55910c65db17 in zebra_router_free_table zebra/zebra_router.c:191 > #15 0x55910c65dfb5 in zebra_router_terminate zebra/zebra_router.c:244 > #16 0x55910c4f40db in zebra_finalize zebra/main.c:249 > #17 0x7f26f2777108 in event_call lib/event.c:2011 > #18 0x7f26f264180e in frr_run lib/libfrr.c:1212 > #19 0x55910c4f49cb in main zebra/main.c:531 > #20 0x7f26f2029d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > #21 0x7f26f2029e3f in __libc_start_main_impl ../csu/libc-start.c:392 > #22 0x55910c4b0114 in _start (/usr/lib/frr/zebra+0x1ae114) It happens with FRR using the kernel. During shutdown, the namespace identifier is attempted to be obtained by zebra, in an attempt to prepare zebra dataplane nexthop messages. Fix this by accessing the ns structure. Signed-off-by: Philippe Guibert <[email protected]>

The following ASAN issue has been observed: > ERROR: AddressSanitizer: heap-use-after-free on address 0x6160000acba4 at pc 0x55910c5694d0 bp 0x7ffe3a8ac850 sp 0x7ffe3a8ac840 > READ of size 4 at 0x6160000acba4 thread T0 > #0 0x55910c5694cf in ctx_info_from_zns zebra/zebra_dplane.c:3315 > #1 0x55910c569696 in dplane_ctx_ns_init zebra/zebra_dplane.c:3331 > #2 0x55910c56bf61 in dplane_ctx_nexthop_init zebra/zebra_dplane.c:3680 > #3 0x55910c5711ca in dplane_nexthop_update_internal zebra/zebra_dplane.c:4490 > #4 0x55910c571c5c in dplane_nexthop_delete zebra/zebra_dplane.c:4717 > #5 0x55910c61e90e in zebra_nhg_uninstall_kernel zebra/zebra_nhg.c:3413 > #6 0x55910c615d8a in zebra_nhg_decrement_ref zebra/zebra_nhg.c:1919 > #7 0x55910c6404db in route_entry_update_nhe zebra/zebra_rib.c:454 > #8 0x55910c64c904 in rib_re_nhg_free zebra/zebra_rib.c:2822 > #9 0x55910c655be2 in rib_unlink zebra/zebra_rib.c:4212 > #10 0x55910c6430f9 in zebra_rtable_node_cleanup zebra/zebra_rib.c:968 > #11 0x7f26f275b8a9 in route_node_free lib/table.c:75 > #12 0x7f26f275bae4 in route_table_free lib/table.c:111 > #13 0x7f26f275b749 in route_table_finish lib/table.c:46 > #14 0x55910c65db17 in zebra_router_free_table zebra/zebra_router.c:191 > #15 0x55910c65dfb5 in zebra_router_terminate zebra/zebra_router.c:244 > #16 0x55910c4f40db in zebra_finalize zebra/main.c:249 > #17 0x7f26f2777108 in event_call lib/event.c:2011 > #18 0x7f26f264180e in frr_run lib/libfrr.c:1212 > #19 0x55910c4f49cb in main zebra/main.c:531 > #20 0x7f26f2029d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > #21 0x7f26f2029e3f in __libc_start_main_impl ../csu/libc-start.c:392 > #22 0x55910c4b0114 in _start (/usr/lib/frr/zebra+0x1ae114) It happens with FRR using the kernel. During shutdown, the namespace identifier is attempted to be obtained by zebra, in an attempt to prepare zebra dataplane nexthop messages. Fix this by accessing the ns structure. Signed-off-by: Philippe Guibert <[email protected]> (cherry picked from commit 7ae70eb)

When shutdown a LAN-type circuit, and if the current device is not the DIS (assuming it is a level-1 device), the isis_circuit_down() function will not call the isis_dr_resign() function to clear the circuit->u.bc.run_dr_elect[0] bit (this bit is set on interfaces in the isis_run_dr() function). After switching the link to a P2P type, since u.p2p and u.bc form a union, and circuit->u.bc.snpa = "\000\000\000\000\000" and circuit->u.bc.run_dr_elect = "\001", this results in circuit->u.p2p.neighbor = 0x1000000000000. Consequently, the value of adj->sysid accesses a wild pointer, causing the current crash. The backtrace is as follows: (gdb) bt #0 0x00007fbd30e55fe1 in raise () from /lib/x86_64-linux-gnu/libpthread.so.0 #1 0x00007fbd30f76b29 in core_handler (signo=11, siginfo=0x7ffc60b7a270, context=0x7ffc60b7a140) at ../lib/sigevent.c:261 #2 <signal handler called> #3 0x00007fbd30dddba4 in ?? () from /lib/x86_64-linux-gnu/libc.so.6 #4 0x0000562aec46617f in isis_spf_run_lfa (area=0x562aee3a56d0, spftree=0x562aee3a51a0) at ../isisd/isis_lfa.c:2403 #5 0x0000562aec483854 in isis_run_spf_with_protection (area=0x562aee3a56d0, spftree=0x562aee3a51a0) at ../isisd/isis_spf.c:1891 #6 0x0000562aec483b05 in isis_run_spf_cb (thread=0x7ffc60b7b000) at ../isisd/isis_spf.c:1953 #7 0x00007fbd30f900bb in thread_call (thread=0x7ffc60b7b000) at ../lib/thread.c:1990 #8 0x00007fbd30f2897b in frr_run (master=0x562aee0833c0) at ../lib/libfrr.c:1198 #9 0x0000562aec454d6d in main (argc=5, argv=0x7ffc60b7b228, envp=0x7ffc60b7b258) at ../isisd/isis_main.c:273 (gdb) f 4 #4 0x0000562aec46617f in isis_spf_run_lfa (area=0x562aee3a56d0, spftree=0x562aee3a51a0) at ../isisd/isis_lfa.c:2403 2403 ../isisd/isis_lfa.c: No such file or directory. (gdb) p circuit->u.p2p.neighbor $1 = (struct isis_adjacency *) 0x1000000000000 (gdb) p adj->sysid Cannot access memory at address 0x1000000000006 (gdb) p circuit->u.bc $2 = {snpa = "\000\000\000\000\000", run_dr_elect = "\001", t_run_dr = {0x0, 0x0}, t_send_lan_hello = {0x0, 0x0}, adjdb = {0x0, 0x0}, lan_neighs = {0x0, 0x0}, is_dr = "\000", l1_desig_is = "\000\000\000\000\000\000", l2_desig_is = "\000\000\000\000\000\000", t_refresh_pseudo_lsp = {0x0, 0x0}} (gdb) The backtrace provided above pertains to version 8.5.4, but it seems that the same issue exists in the code of the master branch as well. Signed-off-by: baozhen-H3C <[email protected]>

The following ASAN issue has been observed: > ERROR: AddressSanitizer: heap-use-after-free on address 0x6160000acba4 at pc 0x55910c5694d0 bp 0x7ffe3a8ac850 sp 0x7ffe3a8ac840 > READ of size 4 at 0x6160000acba4 thread T0 > #0 0x55910c5694cf in ctx_info_from_zns zebra/zebra_dplane.c:3315 > #1 0x55910c569696 in dplane_ctx_ns_init zebra/zebra_dplane.c:3331 > #2 0x55910c56bf61 in dplane_ctx_nexthop_init zebra/zebra_dplane.c:3680 > #3 0x55910c5711ca in dplane_nexthop_update_internal zebra/zebra_dplane.c:4490 > #4 0x55910c571c5c in dplane_nexthop_delete zebra/zebra_dplane.c:4717 > #5 0x55910c61e90e in zebra_nhg_uninstall_kernel zebra/zebra_nhg.c:3413 > #6 0x55910c615d8a in zebra_nhg_decrement_ref zebra/zebra_nhg.c:1919 > #7 0x55910c6404db in route_entry_update_nhe zebra/zebra_rib.c:454 > #8 0x55910c64c904 in rib_re_nhg_free zebra/zebra_rib.c:2822 > #9 0x55910c655be2 in rib_unlink zebra/zebra_rib.c:4212 > #10 0x55910c6430f9 in zebra_rtable_node_cleanup zebra/zebra_rib.c:968 > #11 0x7f26f275b8a9 in route_node_free lib/table.c:75 > #12 0x7f26f275bae4 in route_table_free lib/table.c:111 > #13 0x7f26f275b749 in route_table_finish lib/table.c:46 > #14 0x55910c65db17 in zebra_router_free_table zebra/zebra_router.c:191 > #15 0x55910c65dfb5 in zebra_router_terminate zebra/zebra_router.c:244 > #16 0x55910c4f40db in zebra_finalize zebra/main.c:249 > #17 0x7f26f2777108 in event_call lib/event.c:2011 > #18 0x7f26f264180e in frr_run lib/libfrr.c:1212 > #19 0x55910c4f49cb in main zebra/main.c:531 > #20 0x7f26f2029d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > #21 0x7f26f2029e3f in __libc_start_main_impl ../csu/libc-start.c:392 > #22 0x55910c4b0114 in _start (/usr/lib/frr/zebra+0x1ae114) It happens with FRR using the kernel. During shutdown, the namespace identifier is attempted to be obtained by zebra, in an attempt to prepare zebra dataplane nexthop messages. Fix this by accessing the ns structure. Signed-off-by: Philippe Guibert <[email protected]> (cherry picked from commit 7ae70eb)

… the neighbor status remains UP Test Scenario: RouterA and RouterB are in the same routing domain and have configured a P2P link. RouterA is configured with "is-type level-1" while RouterB is configured with "is-type level-1-2". They establish a level-1 UP neighborship. In this scenario, we expect that when RouterB's configuration is switched to "is-type level-2-only", the neighborship status on both RouterA and RouterB would be non-UP. However, RouterB still shows the neighbor as UP. Upon receiving a P2P Hello packet, the function "process_p2p_hello" is invoked. According to the ISO/IEC 10589 protocol specification, section 8.2.5.2 a) and tables 5 and 7, if the "iih->circ_type" of the neighbor's hello packet does not match one's own "circuit->is_type," we may choose to take no action. When establishing a neighborship for the first time, the neighbor's status can remain in the "Initializing" state. However, if the neighborship has already been established and one's own "circuit->is_type" changes, the neighbor's UP status cannot be reset. Therefore, when processing P2P Hello packets, we should be cognizant of changes in our own link adjacency type. Topotest has identified a core issue during testing. (gdb) bt "#0 0xb7efe579 in __kernel_vsyscall () \#1 0xb79f62f7 in ?? () \#2 0xbf981dd0 in ?? () \#3 <signal handler called> \#4 0xb79f7722 in ?? () \#5 0xb7ed8634 in _DYNAMIC () from /home/z15467/isis_core/usr/lib/i386-linux-gnu/frr/libfrr.so.0.0.0 \#6 0x0001003c in ?? () \#7 0x00010000 in ?? () \#8 0xb7df3322 in _frr_mtx_lock (mutex=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>) at ../lib/frr_pthread.h:255 \#9 event_timer_remain_msec (thread=0x10000) at ../lib/event.c:734 \#10 event_timer_remain_msec (thread=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>) at ../lib/event.c:727 \#11 0x004fb4aa in _send_hello_sched (circuit=<optimized out>, threadp=0x2189de0, level=1, delay=<optimized out>) at ../isisd/isis_pdu.c:2116 \#12 0x004e8dbc in isis_circuit_up (circuit=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>) at ../isisd/isis_circuit.c:734 \#13 0x004ea8f7 in isis_csm_state_change (event=<optimized out>, circuit=<optimized out>, arg=<optimized out>) at ../isisd/isis_csm.c:98 \#14 0x004ea23f in isis_circuit_circ_type_set (circuit=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, circ_type=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>) at ../isisd/isis_circuit.c:1578 \#15 0x0053aefa in lib_interface_isis_network_type_modify (args=<optimized out>) at ../isisd/isis_nb_config.c:4190 \#16 0xb7dbcc8d in nb_callback_modify (errmsg_len=8192, errmsg=0xbf982afc "", resource=0x2186220, dnode=<optimized out>, event=NB_EV_APPLY, nb_node=0x1fafe70, context=<optimized out>) at ../lib/northbound.c:1550 \#17 nb_callback_configuration (context=<optimized out>, event=NB_EV_APPLY, change=<optimized out>, errmsg=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, errmsg_len=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>) at ../lib/northbound.c:1900 \#18 0xb7dbd646 in nb_transaction_process (errmsg_len=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, errmsg=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, transaction=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, event=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>) at ../lib/northbound.c:2028 \#19 nb_candidate_commit_apply (transaction=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, save_transaction=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, transaction_id=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, errmsg=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, errmsg_len=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>) at ../lib/northbound.c:1368 \#20 0xb7dbdd68 in nb_candidate_commit (context=..., candidate=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, save_transaction=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, comment=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, transaction_id=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, errmsg=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, errmsg_len=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>) at ../lib/northbound.c:1401 \#21 0xb7dc0cff in nb_cli_classic_commit (vty=vty@entry=0x21d6940) at ../lib/northbound_cli.c:57 \#22 0xb7dc0f46 in nb_cli_apply_changes_internal (vty=vty@entry=0x21d6940, xpath_base=xpath_base@entry=0xbf986b7c "/frr-interface:lib/interface[name='r5-eth0']", clear_pending=clear_pending@entry=false) at ../lib/northbound_cli.c:184 \#23 0xb7dc130b in nb_cli_apply_changes (vty=<optimized out>, xpath_base_fmt=<optimized out>) at ../lib/northbound_cli.c:240 \#24 0x00542c1d in isis_network_magic (self=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, argc=<optimized out>, argv=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, no=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, vty=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>) at ../isisd/isis_cli.c:3101 \#25 isis_network (self=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, vty=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, argc=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, argv=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>) at ./isisd/isis_cli_clippy.c:5499 \#26 0xb7d6d8f1 in cmd_execute_command_real (vline=vline@entry=0x219afa0, vty=vty@entry=0x21d6940, cmd=cmd@entry=0x0, up_level=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>) at ../lib/command.c:1003 \#27 0xb7d6d9e0 in cmd_execute_command (vline=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, vty=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, cmd=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, vtysh=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>) at ../lib/command.c:1061 \#28 0xb7d6dc60 in cmd_execute (vty=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, cmd=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, matched=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, vtysh=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>) at ../lib/command.c:1228 \#29 0xb7dfb58a in vty_command (vty=vty@entry=0x21d6940, buf=0x21e0ff0 ' ' <repeats 12 times>, "isis network point-to-point") at ../lib/vty.c:625 \#30 0xb7dfc560 in vty_execute (vty=vty@entry=0x21d6940) at ../lib/vty.c:1388 \#31 0xb7dfdc8d in vtysh_read (thread=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>) at ../lib/vty.c:2400 \#32 0xb7df4d47 in event_call (thread=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>) at ../lib/event.c:2019 \#33 0xb7d9a831 in frr_run (master=<optimized out>) at ../lib/libfrr.c:1232 \#34 0x004e4758 in main (argc=7, argv=0xbf989a24, envp=0xbf989a44) at ../isisd/isis_main.c:354 (gdb) f 9 \#9 event_timer_remain_msec (thread=0x10000) at ../lib/event.c:734 734 ../lib/event.c: No such file or directory. (gdb) p pthread No symbol "pthread" in current context. (gdb) p thread $1 = (struct event *) 0x10000 When LAN links and P2P links share the` circuit->u` of a neighbor, if one link is no longer in use and the union is not cleared, the other link is unable to pass the non-empty check, resulting in accessing an invalid pointer. Unfortunately, for non-DIS devices in LAN links, `circuit->u.bc.run_dr_elect[x]` is essentially always 1, but in `isis_circuit_down()`,` circuit->u.bc.run_dr_elect[x] `will not be cleared because `circuit->u.bc.is_dr[x]` is always 0. Consequently, when switching to a P2P link, `isis_circuit_circ_type_set()` does not reset the link in a non-C_STATE_UP state, leading to subsequent accesses of `circuit->u.p2p.t_send_p2p_hello` resulting in a non-empty yet invalid address. I believe that in `isis_circuit_down()`, the LAN link should unconditionally clear `circuit->u.bc.run_dr_elect[x]`. Signed-off-by: zhou-run <[email protected]>

The following ASAN error can be seen. > ERROR: AddressSanitizer: attempting to call malloc_usable_size() for pointer which is not owned: 0x608000036c20 > #0 0x7f3d7a4b5425 in __interceptor_malloc_usable_size ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:198 > #1 0x7f3d7a426a16 in __sanitizer::BufferedStackTrace::Unwind(unsigned long, unsigned long, void*, bool, unsigned int) ../../../../src/libsanitizer/sanitizer_common > /sanitizer_stacktrace.h:122 > #2 0x7f3d7a426a16 in __asan::asan_malloc_usable_size(void const*, unsigned long, unsigned long) ../../../../src/libsanitizer/asan/asan_allocator.cpp:1074 > #3 0x7f3d7a03f330 in mt_count_free lib/memory.c:78 > #4 0x7f3d7a03f330 in qfree lib/memory.c:130 > #5 0x7f3d76ccf89b in bmp_peer_status_changed bgpd/bgp_bmp.c:982 > #6 0x560ae2aa6a94 in hook_call_peer_status_changed bgpd/bgp_fsm.c:47 > #7 0x560ae2aa6a94 in bgp_fsm_change_status bgpd/bgp_fsm.c:1287 > #8 0x560ae2c4f2e5 in peer_delete bgpd/bgpd.c:2777 > #9 0x560ae2c58d24 in bgp_delete bgpd/bgpd.c:4140 > #10 0x560ae2bbb47e in no_router_bgp bgpd/bgp_vty.c:1764 > #11 0x7f3d79fb74ed in cmd_execute_command_real lib/command.c:1003 > #12 0x7f3d79fb78a3 in cmd_execute_command lib/command.c:1062 > #13 0x7f3d79fb7e03 in cmd_execute lib/command.c:1228 > #14 0x7f3d7a107b53 in vty_command lib/vty.c:625 > #15 0x7f3d7a109902 in vty_execute lib/vty.c:1388 > #16 0x7f3d7a10cc32 in vtysh_read lib/vty.c:2400 > #17 0x7f3d7a0f848b in event_call lib/event.c:2019 > #18 0x7f3d7a01e627 in frr_run lib/libfrr.c:1232 > #19 0x560ae29e0037 in main bgpd/bgp_main.c:555 > #20 0x7f3d79a29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > #21 0x7f3d79a29e3f in __libc_start_main_impl ../csu/libc-start.c:392 > #22 0x560ae29e4ef4 in _start (/usr/lib/frr/bgpd+0x2eeef4) > > 0x608000036c20 is located 0 bytes inside of 81-byte region [0x608000036c20,0x608000036c71) > freed by thread T0 here: > #0 0x7f3d7a4b4537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127 > #1 0x7f3d76ccf85f in bmp_peer_status_changed bgpd/bgp_bmp.c:981 > #2 0x560ae2aa6a94 in hook_call_peer_status_changed bgpd/bgp_fsm.c:47 > #3 0x560ae2aa6a94 in bgp_fsm_change_status bgpd/bgp_fsm.c:1287 > #4 0x560ae2c4f2e5 in peer_delete bgpd/bgpd.c:2777 > #5 0x560ae2c58d24 in bgp_delete bgpd/bgpd.c:4140 > #6 0x560ae2bbb47e in no_router_bgp bgpd/bgp_vty.c:1764 > #7 0x7f3d79fb74ed in cmd_execute_command_real lib/command.c:1003 > #8 0x7f3d79fb78a3 in cmd_execute_command lib/command.c:1062 > #9 0x7f3d79fb7e03 in cmd_execute lib/command.c:1228 > #10 0x7f3d7a107b53 in vty_command lib/vty.c:625 > #11 0x7f3d7a109902 in vty_execute lib/vty.c:1388 > #12 0x7f3d7a10cc32 in vtysh_read lib/vty.c:2400 > #13 0x7f3d7a0f848b in event_call lib/event.c:2019 > #14 0x7f3d7a01e627 in frr_run lib/libfrr.c:1232 > #15 0x560ae29e0037 in main bgpd/bgp_main.c:555 > #16 0x7f3d79a29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > > previously allocated by thread T0 here: > #0 0x7f3d7a4b4887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 > #1 0x7f3d7a03f0e9 in qmalloc lib/memory.c:101 > #2 0x7f3d76cd0166 in bmp_bgp_peer_vrf bgpd/bgp_bmp.c:2194 > #3 0x7f3d76cd0166 in bmp_bgp_update_vrf_status bgpd/bgp_bmp.c:2236 > #4 0x7f3d76cd29b8 in bmp_vrf_state_changed bgpd/bgp_bmp.c:3479 > #5 0x560ae2c45b34 in hook_call_bgp_instance_state bgpd/bgpd.c:88 > #6 0x560ae2c4d158 in bgp_instance_up bgpd/bgpd.c:3936 > #7 0x560ae29e5ed1 in bgp_vrf_enable bgpd/bgp_main.c:299 > #8 0x7f3d7a0ff8b1 in vrf_enable lib/vrf.c:286 > #9 0x7f3d7a0ff8b1 in vrf_enable lib/vrf.c:275 > #10 0x7f3d7a12ab66 in zclient_vrf_add lib/zclient.c:2561 > #11 0x7f3d7a12eb43 in zclient_read lib/zclient.c:4624 > #12 0x7f3d7a0f848b in event_call lib/event.c:2019 > #13 0x7f3d7a01e627 in frr_run lib/libfrr.c:1232 > #14 0x560ae29e0037 in main bgpd/bgp_main.c:555 > #15 0x7f3d79a29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Signed-off-by: Philippe Guibert <[email protected]>

The following memory leak can be observed when turning off and on the BGP vrf interface. > ==706056==ERROR: LeakSanitizer: detected memory leaks > > Direct leak of 78 byte(s) in 1 object(s) allocated from: > #0 0x7fbf5f6b4887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 > #1 0x7fbf5f0771f8 in qmalloc lib/memory.c:101 > #2 0x7fbf5bdde610 in bmp_bgp_peer_vrf bgpd/bgp_bmp.c:2042 > #3 0x7fbf5bdde8aa in bmp_bgp_update_vrf_status bgpd/bgp_bmp.c:2079 > #4 0x7fbf5bdeaa1c in bmp_vrf_itf_state_changed bgpd/bgp_bmp.c:3204 > #5 0x562740f0d83f in hook_call_bgp_vrf_status_changed bgpd/bgp_zebra.c:64 > #6 0x562740f0ee28 in bgp_ifp_up bgpd/bgp_zebra.c:234 > #7 0x7fbf5f01c193 in hook_call_if_up lib/if.c:57 > #8 0x7fbf5f01d09a in if_up_via_zapi lib/if.c:203 > #9 0x7fbf5f1d6f54 in zclient_interface_up lib/zclient.c:2671 > #10 0x7fbf5f1e3e5a in zclient_read lib/zclient.c:4624 > #11 0x7fbf5f18078d in event_call lib/event.c:1996 > #12 0x7fbf5f048933 in frr_run lib/libfrr.c:1232 > #13 0x562740c0cae1 in main bgpd/bgp_main.c:557 > #14 0x7fbf5ea29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > > Direct leak of 78 byte(s) in 1 object(s) allocated from: > #0 0x7fbf5f6b4887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 > #1 0x7fbf5f0771f8 in qmalloc lib/memory.c:101 > #2 0x7fbf5bdde610 in bmp_bgp_peer_vrf bgpd/bgp_bmp.c:2042 > #3 0x7fbf5bdde8aa in bmp_bgp_update_vrf_status bgpd/bgp_bmp.c:2079 > #4 0x7fbf5bdd4839 in bmp_send_peerup_vrf bgpd/bgp_bmp.c:627 > #5 0x7fbf5bddb0d3 in bmp_wrfill bgpd/bgp_bmp.c:1590 > #6 0x7fbf5f10841f in pullwr_run lib/pullwr.c:197 > #7 0x7fbf5f18078d in event_call lib/event.c:1996 > #8 0x7fbf5f048933 in frr_run lib/libfrr.c:1232 > #9 0x562740c0cae1 in main bgpd/bgp_main.c:557 > #10 0x7fbf5ea29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Fix this by freeing the previous open_tx and open_rx contexts before setting up the new one. Also at deletion of peer, free the open_rx context. Signed-off-by: Philippe Guibert <[email protected]>

The following memory leak is observed when running bgp_bmp test. > ==614841==ERROR: LeakSanitizer: detected memory leaks > > Direct leak of 81 byte(s) in 1 object(s) allocated from: > #0 0x7f0e9f2b4887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 > #1 0x7f0e9ec771f8 in qmalloc lib/memory.c:101 > #2 0x7f0e9e5a2f89 in bmp_bgp_peer_vrf bgpd/bgp_bmp.c:2211 > #3 0x7f0e9e5a31a8 in bmp_bgp_update_vrf_status bgpd/bgp_bmp.c:2247 > #4 0x7f0e9e5b0325 in bmp_bgp_attribute_updated_instance bgpd/bgp_bmp.c:3476 > #5 0x7f0e9e5b0661 in bmp_bgp_attribute_updated bgpd/bgp_bmp.c:3526 > #6 0x7f0e9e5b08ae in bmp_routerid_update bgpd/bgp_bmp.c:3547 > #7 0x55cdc4bcbd88 in hook_call_bgp_routerid_update bgpd/bgpd.c:89 > #8 0x55cdc4bccf0b in bgp_router_id_set bgpd/bgpd.c:305 > #9 0x55cdc4bcd87d in bgp_router_id_zebra_bump bgpd/bgpd.c:393 > #10 0x55cdc4ba87d5 in bgp_router_id_update bgpd/bgp_zebra.c:99 > #11 0x7f0e9ede3f0b in zclient_read lib/zclient.c:4626 > #12 0x7f0e9ed8074d in event_call lib/event.c:1996 > #13 0x7f0e9ec48933 in frr_run lib/libfrr.c:1232 > #14 0x55cdc48a9a27 in main bgpd/bgp_main.c:555 > #15 0x7f0e9e629d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > > Direct leak of 81 byte(s) in 1 object(s) allocated from: > #0 0x7f0e9f2b4887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 > #1 0x7f0e9ec771f8 in qmalloc lib/memory.c:101 > #2 0x7f0e9e5a2ed8 in bmp_bgp_peer_vrf bgpd/bgp_bmp.c:2207 > #3 0x7f0e9e5a31a8 in bmp_bgp_update_vrf_status bgpd/bgp_bmp.c:2247 > #4 0x7f0e9e5b0325 in bmp_bgp_attribute_updated_instance bgpd/bgp_bmp.c:3476 > #5 0x7f0e9e5b0661 in bmp_bgp_attribute_updated bgpd/bgp_bmp.c:3526 > #6 0x7f0e9e5b08ae in bmp_routerid_update bgpd/bgp_bmp.c:3547 > #7 0x55cdc4bcbd88 in hook_call_bgp_routerid_update bgpd/bgpd.c:89 > #8 0x55cdc4bccf0b in bgp_router_id_set bgpd/bgpd.c:305 > #9 0x55cdc4bcd87d in bgp_router_id_zebra_bump bgpd/bgpd.c:393 > #10 0x55cdc4ba87d5 in bgp_router_id_update bgpd/bgp_zebra.c:99 > #11 0x7f0e9ede3f0b in zclient_read lib/zclient.c:4626 > #12 0x7f0e9ed8074d in event_call lib/event.c:1996 > #13 0x7f0e9ec48933 in frr_run lib/libfrr.c:1232 > #14 0x55cdc48a9a27 in main bgpd/bgp_main.c:555 > #15 0x7f0e9e629d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > > Direct leak of 64 byte(s) in 1 object(s) allocated from: > #0 0x7f0e9f2b4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 > #1 0x7f0e9ec77235 in qcalloc lib/memory.c:106 > #2 0x7f0e9e5a498d in bmp_imported_bgp_get bgpd/bgp_bmp.c:2441 > #3 0x7f0e9e5acbed in bmp_import_vrf_magic bgpd/bgp_bmp.c:2855 > #4 0x7f0e9e5a7f97 in bmp_import_vrf bgpd/bgp_bmp_clippy.c:147 > #5 0x7f0e9ebb1178 in cmd_execute_command_real lib/command.c:1003 > #6 0x7f0e9ebb1505 in cmd_execute_command lib/command.c:1062 > #7 0x7f0e9ebb21d7 in cmd_execute lib/command.c:1228 > #8 0x7f0e9ed90bf0 in vty_command lib/vty.c:626 > #9 0x7f0e9ed95ad5 in vty_execute lib/vty.c:1389 > #10 0x7f0e9ed9c01e in vtysh_read lib/vty.c:2408 > #11 0x7f0e9ed8074d in event_call lib/event.c:1996 > #12 0x7f0e9ec48933 in frr_run lib/libfrr.c:1232 > #13 0x55cdc48a9a27 in main bgpd/bgp_main.c:555 > #14 0x7f0e9e629d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > > Direct leak of 6 byte(s) in 1 object(s) allocated from: > #0 0x7f0e9f25b9a7 in __interceptor_strdup ../../../../src/libsanitizer/asan/asan_interceptors.cpp:454 > #1 0x7f0e9ec772fa in qstrdup lib/memory.c:118 > #2 0x55cdc4b57d54 in af_rd_vpn_export_magic bgpd/bgp_vty.c:9814 > #3 0x55cdc4b288d7 in af_rd_vpn_export bgpd/bgp_vty_clippy.c:3493 > #4 0x7f0e9ebb1178 in cmd_execute_command_real lib/command.c:1003 > #5 0x7f0e9ebb1505 in cmd_execute_command lib/command.c:1062 > #6 0x7f0e9ebb21d7 in cmd_execute lib/command.c:1228 > #7 0x7f0e9ed90bf0 in vty_command lib/vty.c:626 > #8 0x7f0e9ed95ad5 in vty_execute lib/vty.c:1389 > #9 0x7f0e9ed9c01e in vtysh_read lib/vty.c:2408 > #10 0x7f0e9ed8074d in event_call lib/event.c:1996 > #11 0x7f0e9ec48933 in frr_run lib/libfrr.c:1232 > #12 0x55cdc48a9a27 in main bgpd/bgp_main.c:555 > #13 0x7f0e9e629d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > > Indirect leak of 5 byte(s) in 1 object(s) allocated from: > #0 0x7f0e9f25b9a7 in __interceptor_strdup ../../../../src/libsanitizer/asan/asan_interceptors.cpp:454 > #1 0x7f0e9ec772fa in qstrdup lib/memory.c:118 > #2 0x7f0e9e5a49ae in bmp_imported_bgp_get bgpd/bgp_bmp.c:2443 > #3 0x7f0e9e5acbed in bmp_import_vrf_magic bgpd/bgp_bmp.c:2855 > #4 0x7f0e9e5a7f97 in bmp_import_vrf bgpd/bgp_bmp_clippy.c:147 > #5 0x7f0e9ebb1178 in cmd_execute_command_real lib/command.c:1003 > #6 0x7f0e9ebb1505 in cmd_execute_command lib/command.c:1062 > #7 0x7f0e9ebb21d7 in cmd_execute lib/command.c:1228 > #8 0x7f0e9ed90bf0 in vty_command lib/vty.c:626 > #9 0x7f0e9ed95ad5 in vty_execute lib/vty.c:1389 > #10 0x7f0e9ed9c01e in vtysh_read lib/vty.c:2408 > #11 0x7f0e9ed8074d in event_call lib/event.c:1996 > #12 0x7f0e9ec48933 in frr_run lib/libfrr.c:1232 > #13 0x55cdc48a9a27 in main bgpd/bgp_main.c:555 > #14 0x7f0e9e629d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > > SUMMARY: AddressSanitizer: 237 byte(s) leaked in 5 allocation(s). Fix this by freeing the missing memory block that helps building the open message to send to remote bmp collector. Signed-off-by: Philippe Guibert <[email protected]>

> ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f73891cb146 bp 0x7ffca86584c0 sp 0x7ffca8658490 T0) > ==837617==The signal is caused by a READ memory access. > ==837617==Hint: address points to the zero page. > #0 0x7f73891cb146 in bmp_targets_const_next bgpd/bgp_bmp.c:149 > #1 0x7f73891cb1a5 in bmp_targets_next bgpd/bgp_bmp.c:149 > #2 0x7f73891e875a in _bmp_vrf_state_changed_internal bgpd/bgp_bmp.c:3520 > #3 0x7f73891e8922 in bmp_vrf_itf_state_changed bgpd/bgp_bmp.c:3566 > #4 0x55e511af8d1b in hook_call_bgp_vrf_status_changed bgpd/bgp_zebra.c:64 > #5 0x55e511afa304 in bgp_ifp_up bgpd/bgp_zebra.c:234 > #6 0x7f738981c193 in hook_call_if_up lib/if.c:57 > #7 0x7f738981d09a in if_up_via_zapi lib/if.c:203 > #8 0x7f73899d6f54 in zclient_interface_up lib/zclient.c:2671 > #9 0x7f73899e3e5a in zclient_read lib/zclient.c:4624 > #10 0x7f738998078d in event_call lib/event.c:1996 > #11 0x7f7389848933 in frr_run lib/libfrr.c:1232 > #12 0x55e5117f7ae1 in main bgpd/bgp_main.c:557 > #13 0x7f7389229d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > #14 0x7f7389229e3f in __libc_start_main_impl ../csu/libc-start.c:392 > #15 0x55e5117f4234 in _start (/usr/lib/frr/bgpd+0x2ec234) Signed-off-by: Philippe Guibert <[email protected]>

Some bgp evpn memory contexts are not freed at the end of the bgp process. > ================================================================= > ==1208677==ERROR: LeakSanitizer: detected memory leaks > > Direct leak of 96 byte(s) in 2 object(s) allocated from: > #0 0x7f93ad4b4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 > #1 0x7f93ace77233 in qcalloc lib/memory.c:106 > #2 0x563bb68f4df1 in process_type5_route bgpd/bgp_evpn.c:5084 > #3 0x563bb68fb663 in bgp_nlri_parse_evpn bgpd/bgp_evpn.c:6302 > #4 0x563bb69ea2a9 in bgp_nlri_parse bgpd/bgp_packet.c:347 > #5 0x563bb69f7716 in bgp_update_receive bgpd/bgp_packet.c:2482 > #6 0x563bb6a04d3b in bgp_process_packet bgpd/bgp_packet.c:4091 > #7 0x7f93acf8082d in event_call lib/event.c:1996 > #8 0x7f93ace48931 in frr_run lib/libfrr.c:1232 > #9 0x563bb6880ae1 in main bgpd/bgp_main.c:557 > #10 0x7f93ac829d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Actually, the bgp evpn context may noy be used if adj rib in is unused. This may lead to memory leaks. Fix this by freeing the context in those corner cases. Signed-off-by: Philippe Guibert <[email protected]>

When running the bgp_evpn_rt5 setup with unified config, memory leak about a non deleted BGP instance happens. > root@ubuntu2204hwe:~/frr/tests/topotests/bgp_evpn_rt5# cat /tmp/topotests/bgp_evpn_rt5.test_bgp_evpn/r1.asan.bgpd.1164105 > > ================================================================= > ==1164105==ERROR: LeakSanitizer: detected memory leaks > > Indirect leak of 12496 byte(s) in 1 object(s) allocated from: > #0 0x7f358eeb4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 > #1 0x7f358e877233 in qcalloc lib/memory.c:106 > #2 0x55d06c95680a in bgp_create bgpd/bgpd.c:3405 > #3 0x55d06c95a7b3 in bgp_get bgpd/bgpd.c:3805 > #4 0x55d06c87a9b5 in bgp_get_vty bgpd/bgp_vty.c:603 > #5 0x55d06c68dc71 in bgp_evpn_local_l3vni_add bgpd/bgp_evpn.c:7032 > #6 0x55d06c92989b in bgp_zebra_process_local_l3vni bgpd/bgp_zebra.c:3204 > #7 0x7f358e9e3feb in zclient_read lib/zclient.c:4626 > #8 0x7f358e98082d in event_call lib/event.c:1996 > #9 0x7f358e848931 in frr_run lib/libfrr.c:1232 > #10 0x55d06c60eae1 in main bgpd/bgp_main.c:557 > #11 0x7f358e229d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Actually, a BGP VRF Instance is created in auto mode when creating the global BGP instance for the L3 VNI. And again, an other BGP VRF instance is created. Fix this by ensuring that a non existing BGP instance is not present. If it is present, and with auto mode or in hidden mode, then override the AS value. Fixes: f153b9a ("bgpd: Ignore auto created VRF BGP instances") Signed-off-by: Philippe Guibert <[email protected]>

When running the bgp_evpn_rt5 setup with unified config, memory leak about a non deleted BGP instance happens. > root@ubuntu2204hwe:~/frr/tests/topotests/bgp_evpn_rt5# cat /tmp/topotests/bgp_evpn_rt5.test_bgp_evpn/r1.asan.bgpd.1164105 > > ================================================================= > ==1164105==ERROR: LeakSanitizer: detected memory leaks > > Indirect leak of 12496 byte(s) in 1 object(s) allocated from: > #0 0x7f358eeb4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 > #1 0x7f358e877233 in qcalloc lib/memory.c:106 > #2 0x55d06c95680a in bgp_create bgpd/bgpd.c:3405 > #3 0x55d06c95a7b3 in bgp_get bgpd/bgpd.c:3805 > #4 0x55d06c87a9b5 in bgp_get_vty bgpd/bgp_vty.c:603 > #5 0x55d06c68dc71 in bgp_evpn_local_l3vni_add bgpd/bgp_evpn.c:7032 > #6 0x55d06c92989b in bgp_zebra_process_local_l3vni bgpd/bgp_zebra.c:3204 > #7 0x7f358e9e3feb in zclient_read lib/zclient.c:4626 > #8 0x7f358e98082d in event_call lib/event.c:1996 > #9 0x7f358e848931 in frr_run lib/libfrr.c:1232 > #10 0x55d06c60eae1 in main bgpd/bgp_main.c:557 > #11 0x7f358e229d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Actually, a BGP VRF Instance is created in auto mode when creating the global BGP instance for the L3 VNI. And again, an other BGP VRF instance is created. Fix this by ensuring that a non existing BGP instance is not present. If it is present, and with auto mode or in hidden mode, then override the AS value. Fixes: f153b9a ("bgpd: Ignore auto created VRF BGP instances") Signed-off-by: Philippe Guibert <[email protected]> Signed-off-by: Donatas Abraitis <[email protected]>

When staticd receives a `ZAPI_SRV6_SID_RELEASED` notification from SRv6 SID Manager, it tries to unset the validity flag of `sid`. But since the `sid` variable is NULL, we get a NULL pointer dereference. ``` ================================================================= ==13815==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000060 (pc 0xc14b813d9eac bp 0xffffcb135a40 sp 0xffffcb135a40 T0) ==13815==The signal is caused by a READ memory access. ==13815==Hint: address points to the zero page. #0 0xc14b813d9eac in static_zebra_srv6_sid_notify staticd/static_zebra.c:1172 #1 0xe44e7aa2c194 in zclient_read lib/zclient.c:4746 #2 0xe44e7a9b69d8 in event_call lib/event.c:1984 #3 0xe44e7a85ac28 in frr_run lib/libfrr.c:1246 #4 0xc14b813ccf98 in main staticd/static_main.c:193 #5 0xe44e7a4773f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #6 0xe44e7a4774c8 in __libc_start_main_impl ../csu/libc-start.c:392 #7 0xc14b813cc92c in _start (/usr/lib/frr/staticd+0x1c92c) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV staticd/static_zebra.c:1172 in static_zebra_srv6_sid_notify ==13815==ABORTING ``` This commit fixes the problem by doing a SID lookup first. If the SID can't be found, we log an error and return. If the SID is found, we go ahead and unset the validity flag. Signed-off-by: Carmine Scarpitta <[email protected]>

When running the bgp_evpn_rt5 setup with unified config, memory leak about a non deleted BGP instance happens. > root@ubuntu2204hwe:~/frr/tests/topotests/bgp_evpn_rt5# cat /tmp/topotests/bgp_evpn_rt5.test_bgp_evpn/r1.asan.bgpd.1164105 > > ================================================================= > ==1164105==ERROR: LeakSanitizer: detected memory leaks > > Indirect leak of 12496 byte(s) in 1 object(s) allocated from: > #0 0x7f358eeb4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 > #1 0x7f358e877233 in qcalloc lib/memory.c:106 > #2 0x55d06c95680a in bgp_create bgpd/bgpd.c:3405 > #3 0x55d06c95a7b3 in bgp_get bgpd/bgpd.c:3805 > #4 0x55d06c87a9b5 in bgp_get_vty bgpd/bgp_vty.c:603 > #5 0x55d06c68dc71 in bgp_evpn_local_l3vni_add bgpd/bgp_evpn.c:7032 > #6 0x55d06c92989b in bgp_zebra_process_local_l3vni bgpd/bgp_zebra.c:3204 > #7 0x7f358e9e3feb in zclient_read lib/zclient.c:4626 > #8 0x7f358e98082d in event_call lib/event.c:1996 > #9 0x7f358e848931 in frr_run lib/libfrr.c:1232 > #10 0x55d06c60eae1 in main bgpd/bgp_main.c:557 > #11 0x7f358e229d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Actually, a BGP VRF Instance is created in auto mode when creating the global BGP instance for the L3 VNI. And again, an other BGP VRF instance is created. Fix this by ensuring that a non existing BGP instance is not present. If it is present, and with auto mode or in hidden mode, then override the AS value. Fixes: f153b9a ("bgpd: Ignore auto created VRF BGP instances") Signed-off-by: Philippe Guibert <[email protected]> Signed-off-by: Donatas Abraitis <[email protected]>

Fix a heap-after-free that causes zebra to crash even without address-sanitizer. To reproduce: > echo "100 my_table" | tee -a /etc/iproute2/rt_tables > ip route add blackhole default table 100 > ip route show table 100 > ip l add red type vrf table 100 > ip l del red > ip route del blackhole default table 100 Zebra manages routing tables for all existing Linux RT tables, regardless of whether they are assigned to a VRF interface. When a table is not assigned to any VRF, zebra arbitrarily assigns it to the default VRF, even though this is not strictly accurate (the code expects this behavior). When an RT table is created after a VRF, zebra correctly assigns the table to the VRF. However, if a VRF interface is assigned to an existing RT table, zebra does not update the table owner, which remains as the default VRF. As a result, existing routing entries remain under the default VRF, while new entries are correctly assigned to the VRF. The VRF mismatch is unexpected in the code and creates crashes and memory related issues. Furthermore, Linux does not automatically delete RT tables when they are unassigned from a VRF. It is incorrect to delete these tables from zebra. Instead, at VRF disabling, do not release the table but reassign it to the default VRF. At VRF enabling, change the table owner back to the appropriate VRF. > ==2866266==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000154f54 at pc 0x7fa32474b83f bp 0x7ffe94f67d90 sp 0x7ffe94f67d88 > READ of size 1 at 0x606000154f54 thread T0 > #0 0x7fa32474b83e in rn_hash_node_const_find lib/table.c:28 > #1 0x7fa32474bab1 in rn_hash_node_find lib/table.c:28 > #2 0x7fa32474d783 in route_node_get lib/table.c:283 > #3 0x7fa3247328dd in srcdest_rnode_get lib/srcdest_table.c:231 > #4 0x55b0e4fa8da4 in rib_find_rn_from_ctx zebra/zebra_rib.c:1957 > #5 0x55b0e4fa8e31 in rib_process_result zebra/zebra_rib.c:1988 > #6 0x55b0e4fb9d64 in rib_process_dplane_results zebra/zebra_rib.c:4894 > #7 0x7fa32476689c in event_call lib/event.c:1996 > #8 0x7fa32463b7b2 in frr_run lib/libfrr.c:1232 > #9 0x55b0e4e6c32a in main zebra/main.c:526 > #10 0x7fa32424fd09 in __libc_start_main ../csu/libc-start.c:308 > #11 0x55b0e4e2d649 in _start (/usr/lib/frr/zebra+0x1a1649) > > 0x606000154f54 is located 20 bytes inside of 56-byte region [0x606000154f40,0x606000154f78) > freed by thread T0 here: > #0 0x7fa324ca9b6f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:123 > #1 0x7fa324668d8f in qfree lib/memory.c:130 > #2 0x7fa32474c421 in route_table_free lib/table.c:126 > #3 0x7fa32474bf96 in route_table_finish lib/table.c:46 > #4 0x55b0e4fbca3a in zebra_router_free_table zebra/zebra_router.c:191 > #5 0x55b0e4fbccea in zebra_router_release_table zebra/zebra_router.c:214 > #6 0x55b0e4fd428e in zebra_vrf_disable zebra/zebra_vrf.c:219 > #7 0x7fa32476fabf in vrf_disable lib/vrf.c:326 > #8 0x7fa32476f5d4 in vrf_delete lib/vrf.c:231 > #9 0x55b0e4e4ad36 in interface_vrf_change zebra/interface.c:1478 > #10 0x55b0e4e4d5d2 in zebra_if_dplane_ifp_handling zebra/interface.c:1949 > #11 0x55b0e4e4fb89 in zebra_if_dplane_result zebra/interface.c:2268 > #12 0x55b0e4fb9f26 in rib_process_dplane_results zebra/zebra_rib.c:4954 > #13 0x7fa32476689c in event_call lib/event.c:1996 > #14 0x7fa32463b7b2 in frr_run lib/libfrr.c:1232 > #15 0x55b0e4e6c32a in main zebra/main.c:526 > #16 0x7fa32424fd09 in __libc_start_main ../csu/libc-start.c:308 > > previously allocated by thread T0 here: > #0 0x7fa324caa037 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 > #1 0x7fa324668c4d in qcalloc lib/memory.c:105 > #2 0x7fa32474bf33 in route_table_init_with_delegate lib/table.c:38 > #3 0x7fa32474e73c in route_table_init lib/table.c:512 > #4 0x55b0e4fbc353 in zebra_router_get_table zebra/zebra_router.c:137 > #5 0x55b0e4fd4da0 in zebra_vrf_table_create zebra/zebra_vrf.c:358 > #6 0x55b0e4fd3d30 in zebra_vrf_enable zebra/zebra_vrf.c:140 > #7 0x7fa32476f9b2 in vrf_enable lib/vrf.c:286 > #8 0x55b0e4e4af76 in interface_vrf_change zebra/interface.c:1533 > #9 0x55b0e4e4d612 in zebra_if_dplane_ifp_handling zebra/interface.c:1968 > #10 0x55b0e4e4fb89 in zebra_if_dplane_result zebra/interface.c:2268 > #11 0x55b0e4fb9f26 in rib_process_dplane_results zebra/zebra_rib.c:4954 > #12 0x7fa32476689c in event_call lib/event.c:1996 > #13 0x7fa32463b7b2 in frr_run lib/libfrr.c:1232 > #14 0x55b0e4e6c32a in main zebra/main.c:526 > #15 0x7fa32424fd09 in __libc_start_main ../csu/libc-start.c:308 Fixes: d8612e6 ("zebra: Track tables allocated by vrf and cleanup") Signed-off-by: Louis Scalbert <[email protected]>

Issue: Not freeing the neighbor n within the same function can lead to memory leak. zebra_neigh_del_all() -> zebra_neigh_del() re lookup and free Fix: not accessing n after its freed. Directly free the neighbor entry (n) when its interface index matches ifp->ifindex. This fixes: ERROR: AddressSanitizer: heap-use-after-free on address 0x6070001052e8 at pc 0x7f6bf7d09ddb bp 0x7ffd3366a000 sp 0x7ffd33669ff0 READ of size 8 at 0x6070001052e8 thread T0 #0 0x7f6bf7d09dda in _rb_next lib/openbsd-tree.c:455 #1 0x55f95a307261 in zebra_neigh_rb_head_RB_NEXT zebra/zebra_neigh.h:34 #2 0x55f95a3082e9 in zebra_neigh_del_all zebra/zebra_neigh.c:162 #3 0x55f95a121ee7 in zebra_interface_down_update zebra/redistribute.c:571 #4 0x55f95a0f819d in if_down zebra/interface.c:1017 #5 0x55f95a0fe168 in zebra_if_dplane_ifp_handling zebra/interface.c:2102 #6 0x55f95a0ff10c in zebra_if_dplane_result zebra/interface.c:2241 #7 0x55f95a27ce9c in rib_process_dplane_results zebra/zebra_rib.c:5015 #8 0x7f6bf7da3ad9 in event_call lib/event.c:1984 #9 0x7f6bf7c62141 in frr_run lib/libfrr.c:1246 #10 0x55f95a11ca7f in main zebra/main.c:543 #11 0x7f6bf7029d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #12 0x7f6bf7029e3f in __libc_start_main_impl ../csu/libc-start.c:392 #13 0x55f95a0dd0b4 in _start (/usr/lib/frr/zebra+0x1a80b4) Ticket: FRRouting#18047 Signed-off-by: Rajesh Varatharaj <[email protected]>

> ==713776==ERROR: LeakSanitizer: detected memory leaks > > Direct leak of 120 byte(s) in 1 object(s) allocated from: > #0 0x7fdfcbeb4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 > #1 0x7fdfcb86f8dd in qcalloc lib/memory.c:105 > #2 0x55ce707739b6 in isis_tlvs_find_alloc_asla isisd/isis_tlvs.c:8500 > #3 0x55ce7072fae0 in isis_link_params_update_asla isisd/isis_te.c:191 > #4 0x55ce70733881 in isis_link_params_update isisd/isis_te.c:499 > #5 0x55ce70693f2a in isis_circuit_up isisd/isis_circuit.c:776 > #6 0x55ce7069a120 in isis_csm_state_change isisd/isis_csm.c:135 > #7 0x55ce7068dd80 in isis_circuit_enable isisd/isis_circuit.c:79 > #8 0x55ce70699346 in isis_ifp_create isisd/isis_circuit.c:1618 > #9 0x7fdfcb81f47f in hook_call_if_real lib/if.c:55 > #10 0x7fdfcb82056e in if_new_via_zapi lib/if.c:188 > #11 0x7fdfcb9d17da in zclient_interface_add lib/zclient.c:2706 > #12 0x7fdfcb9df842 in zclient_read lib/zclient.c:4843 > #13 0x7fdfcb97798e in event_call lib/event.c:2011 > #14 0x7fdfcb842ff1 in frr_run lib/libfrr.c:1216 > #15 0x55ce7067cbf2 in main isisd/isis_main.c:360 > #16 0x7fdfcb229d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > > Indirect leak of 8 byte(s) in 1 object(s) allocated from: > #0 0x7fdfcbeb4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 > #1 0x7fdfcb86f8dd in qcalloc lib/memory.c:105 > #2 0x7fdfcb79a7b7 in admin_group_init lib/admin_group.c:186 > #3 0x55ce707739ca in isis_tlvs_find_alloc_asla isisd/isis_tlvs.c:8501 > #4 0x55ce7072fae0 in isis_link_params_update_asla isisd/isis_te.c:191 > #5 0x55ce70733881 in isis_link_params_update isisd/isis_te.c:499 > #6 0x55ce70693f2a in isis_circuit_up isisd/isis_circuit.c:776 > #7 0x55ce7069a120 in isis_csm_state_change isisd/isis_csm.c:135 > #8 0x55ce7068dd80 in isis_circuit_enable isisd/isis_circuit.c:79 > #9 0x55ce70699346 in isis_ifp_create isisd/isis_circuit.c:1618 > #10 0x7fdfcb81f47f in hook_call_if_real lib/if.c:55 > #11 0x7fdfcb82056e in if_new_via_zapi lib/if.c:188 > #12 0x7fdfcb9d17da in zclient_interface_add lib/zclient.c:2706 > #13 0x7fdfcb9df842 in zclient_read lib/zclient.c:4843 > #14 0x7fdfcb97798e in event_call lib/event.c:2011 > #15 0x7fdfcb842ff1 in frr_run lib/libfrr.c:1216 > #16 0x55ce7067cbf2 in main isisd/isis_main.c:360 > #17 0x7fdfcb229d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 PR: 95719 Fixes: 5749ac8 ("isisd: add ASLA support") Signed-off-by: Louis Scalbert <[email protected]>

We are obviously doing deleting on wrong object. > Direct leak of 40 byte(s) in 1 object(s) allocated from: > #0 0x7fcf718b4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 > #1 0x7fcf7126f8dd in qcalloc lib/memory.c:105 > #2 0x7fcf7124401a in list_new lib/linklist.c:49 > #3 0x55771621d86d in pbr_iptable_alloc_intern zebra/zebra_pbr.c:1015 > #4 0x7fcf71217d79 in hash_get lib/hash.c:147 > #5 0x55771621dad3 in zebra_pbr_add_iptable zebra/zebra_pbr.c:1030 > #6 0x55771614d00c in zread_iptable zebra/zapi_msg.c:4131 > #7 0x55771614e586 in zserv_handle_commands zebra/zapi_msg.c:4424 > #8 0x5577162dae2c in zserv_process_messages zebra/zserv.c:521 > #9 0x7fcf7137798e in event_call lib/event.c:2011 > #10 0x7fcf71242ff1 in frr_run lib/libfrr.c:1216 > #11 0x5577160e4d6d in main zebra/main.c:540 > #12 0x7fcf70c29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > > Indirect leak of 24 byte(s) in 1 object(s) allocated from: > #0 0x7fcf718b4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 > #1 0x7fcf7126f8dd in qcalloc lib/memory.c:105 > #2 0x7fcf71244129 in listnode_new lib/linklist.c:71 > #3 0x7fcf71244238 in listnode_add lib/linklist.c:92 > #4 0x55771621d938 in pbr_iptable_alloc_intern zebra/zebra_pbr.c:1019 > #5 0x7fcf71217d79 in hash_get lib/hash.c:147 > #6 0x55771621dad3 in zebra_pbr_add_iptable zebra/zebra_pbr.c:1030 > #7 0x55771614d00c in zread_iptable zebra/zapi_msg.c:4131 > #8 0x55771614e586 in zserv_handle_commands zebra/zapi_msg.c:4424 > #9 0x5577162dae2c in zserv_process_messages zebra/zserv.c:521 > #10 0x7fcf7137798e in event_call lib/event.c:2011 > #11 0x7fcf71242ff1 in frr_run lib/libfrr.c:1216 > #12 0x5577160e4d6d in main zebra/main.c:540 > #13 0x7fcf70c29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Fixes: f80ec7e ("zebra: handle iptable list of interfaces") Signed-off-by: Louis Scalbert <[email protected]>

> ==238132==ERROR: LeakSanitizer: detected memory leaks > > Direct leak of 160 byte(s) in 1 object(s) allocated from: > #0 0x7fd79f0b4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 > #1 0x7fd79ea6f8dd in qcalloc lib/memory.c:105 > #2 0x5586b26995f9 in bgp_pbr_match_entry_alloc_intern bgpd/bgp_pbr.c:1155 > #3 0x7fd79ea17d79 in hash_get lib/hash.c:147 > #4 0x5586b26a551d in bgp_pbr_policyroute_add_to_zebra_unit bgpd/bgp_pbr.c:2522 > #5 0x5586b26a6436 in bgp_pbr_policyroute_add_to_zebra bgpd/bgp_pbr.c:2672 > #6 0x5586b26a8089 in bgp_pbr_handle_entry bgpd/bgp_pbr.c:2876 > #7 0x5586b26a8912 in bgp_pbr_update_entry bgpd/bgp_pbr.c:2939 > #8 0x5586b2829472 in bgp_zebra_announce bgpd/bgp_zebra.c:1618 > #9 0x5586b282ab4b in bgp_zebra_announce_table bgpd/bgp_zebra.c:1766 > #10 0x5586b2824b99 in bgp_zebra_tm_connect bgpd/bgp_zebra.c:1091 > #11 0x7fd79eb7798e in event_call lib/event.c:2011 > #12 0x7fd79ea42ff1 in frr_run lib/libfrr.c:1216 > #13 0x5586b2503a15 in main bgpd/bgp_main.c:545 > #14 0x7fd79e429d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Fixes: d114b0d ("bgpd: inject policy route entry from bgp into zebra pbr entries.") Signed-off-by: Louis Scalbert <[email protected]>

> Direct leak of 1144 byte(s) in 13 object(s) allocated from: > #0 0x7f3eedeb4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 > #1 0x7f3eed86f8dd in qcalloc lib/memory.c:105 > #2 0x55b32d236faf in bgp_pbr_match_alloc_intern bgpd/bgp_pbr.c:1074 > #3 0x7f3eed817d79 in hash_get lib/hash.c:147 > #4 0x55b32d242d9a in bgp_pbr_policyroute_add_to_zebra_unit bgpd/bgp_pbr.c:2486 > #5 0x55b32d244436 in bgp_pbr_policyroute_add_to_zebra bgpd/bgp_pbr.c:2672 > #6 0x55b32d245a05 in bgp_pbr_handle_entry bgpd/bgp_pbr.c:2843 > #7 0x55b32d246912 in bgp_pbr_update_entry bgpd/bgp_pbr.c:2939 > #8 0x55b32d3c7472 in bgp_zebra_announce bgpd/bgp_zebra.c:1618 > #9 0x55b32d26e5e7 in bgp_process_main_one bgpd/bgp_route.c:3691 > #10 0x55b32d26f77d in process_subq_other_route bgpd/bgp_route.c:3856 > #11 0x55b32d2701ff in process_subq bgpd/bgp_route.c:3955 > #12 0x55b32d27029f in meta_queue_process bgpd/bgp_route.c:3980 > #13 0x7f3eed99fdd8 in work_queue_run lib/workqueue.c:282 > #14 0x7f3eed97798e in event_call lib/event.c:2011 > #15 0x7f3eed842ff1 in frr_run lib/libfrr.c:1216 > #16 0x55b32d0a1a15 in main bgpd/bgp_main.c:545 > #17 0x7f3eed229d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Fixes: d114b0d ("bgpd: inject policy route entry from bgp into zebra pbr entries.") Signed-off-by: Louis Scalbert <[email protected]>

Note that bgp_pbr_policyroute_add_from_zebra() and bgp_pbr_policyroute_remove_from_zebra() are only called from bgp_pbr_handle_entry(). > ==966967==ERROR: LeakSanitizer: detected memory leaks > > Direct leak of 40 byte(s) in 1 object(s) allocated from: > #0 0x7fd447ab4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 > #1 0x7fd44746f8dd in qcalloc lib/memory.c:105 > #2 0x7fd44744401a in list_new lib/linklist.c:49 > #3 0x560f8c094490 in bgp_pbr_handle_entry bgpd/bgp_pbr.c:2818 > #4 0x560f8c095993 in bgp_pbr_update_entry bgpd/bgp_pbr.c:2941 > #5 0x560f8c2164f3 in bgp_zebra_announce bgpd/bgp_zebra.c:1618 > #6 0x560f8c0bd668 in bgp_process_main_one bgpd/bgp_route.c:3691 > #7 0x560f8c0be7fe in process_subq_other_route bgpd/bgp_route.c:3856 > #8 0x560f8c0bf280 in process_subq bgpd/bgp_route.c:3955 > #9 0x560f8c0bf320 in meta_queue_process bgpd/bgp_route.c:3980 > #10 0x7fd44759fdfc in work_queue_run lib/workqueue.c:282 > #11 0x7fd4475779b2 in event_call lib/event.c:2011 > #12 0x7fd447442ff1 in frr_run lib/libfrr.c:1216 > #13 0x560f8bef0a15 in main bgpd/bgp_main.c:545 > #14 0x7fd446e29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > > Direct leak of 40 byte(s) in 1 object(s) allocated from: > #0 0x7fd447ab4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 > #1 0x7fd44746f8dd in qcalloc lib/memory.c:105 > #2 0x7fd44744401a in list_new lib/linklist.c:49 > #3 0x560f8c09439d in bgp_pbr_handle_entry bgpd/bgp_pbr.c:2812 > #4 0x560f8c095993 in bgp_pbr_update_entry bgpd/bgp_pbr.c:2941 > #5 0x560f8c2164f3 in bgp_zebra_announce bgpd/bgp_zebra.c:1618 > #6 0x560f8c0bd668 in bgp_process_main_one bgpd/bgp_route.c:3691 > #7 0x560f8c0be7fe in process_subq_other_route bgpd/bgp_route.c:3856 > #8 0x560f8c0bf280 in process_subq bgpd/bgp_route.c:3955 > #9 0x560f8c0bf320 in meta_queue_process bgpd/bgp_route.c:3980 > #10 0x7fd44759fdfc in work_queue_run lib/workqueue.c:282 > #11 0x7fd4475779b2 in event_call lib/event.c:2011 > #12 0x7fd447442ff1 in frr_run lib/libfrr.c:1216 > #13 0x560f8bef0a15 in main bgpd/bgp_main.c:545 > #14 0x7fd446e29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > > Direct leak of 4 byte(s) in 1 object(s) allocated from: > #0 0x7fd447ab4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 > #1 0x7fd44746f8dd in qcalloc lib/memory.c:105 > #2 0x560f8c080cec in bgp_pbr_extract_enumerate_unary bgpd/bgp_pbr.c:362 > #3 0x560f8c080f7e in bgp_pbr_extract_enumerate bgpd/bgp_pbr.c:400 > #4 0x560f8c094530 in bgp_pbr_handle_entry bgpd/bgp_pbr.c:2819 > #5 0x560f8c095993 in bgp_pbr_update_entry bgpd/bgp_pbr.c:2941 > #6 0x560f8c2164f3 in bgp_zebra_announce bgpd/bgp_zebra.c:1618 > #7 0x560f8c0bd668 in bgp_process_main_one bgpd/bgp_route.c:3691 > #8 0x560f8c0be7fe in process_subq_other_route bgpd/bgp_route.c:3856 > #9 0x560f8c0bf280 in process_subq bgpd/bgp_route.c:3955 > #10 0x560f8c0bf320 in meta_queue_process bgpd/bgp_route.c:3980 > #11 0x7fd44759fdfc in work_queue_run lib/workqueue.c:282 > #12 0x7fd4475779b2 in event_call lib/event.c:2011 > #13 0x7fd447442ff1 in frr_run lib/libfrr.c:1216 > #14 0x560f8bef0a15 in main bgpd/bgp_main.c:545 > #15 0x7fd446e29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > > Direct leak of 4 byte(s) in 1 object(s) allocated from: > #0 0x7fd447ab4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 > #1 0x7fd44746f8dd in qcalloc lib/memory.c:105 > #2 0x560f8c080cec in bgp_pbr_extract_enumerate_unary bgpd/bgp_pbr.c:362 > #3 0x560f8c080f7e in bgp_pbr_extract_enumerate bgpd/bgp_pbr.c:400 > #4 0x560f8c09443d in bgp_pbr_handle_entry bgpd/bgp_pbr.c:2813 > #5 0x560f8c095993 in bgp_pbr_update_entry bgpd/bgp_pbr.c:2941 > #6 0x560f8c2164f3 in bgp_zebra_announce bgpd/bgp_zebra.c:1618 > #7 0x560f8c0bd668 in bgp_process_main_one bgpd/bgp_route.c:3691 > #8 0x560f8c0be7fe in process_subq_other_route bgpd/bgp_route.c:3856 > #9 0x560f8c0bf280 in process_subq bgpd/bgp_route.c:3955 > #10 0x560f8c0bf320 in meta_queue_process bgpd/bgp_route.c:3980 > #11 0x7fd44759fdfc in work_queue_run lib/workqueue.c:282 > #12 0x7fd4475779b2 in event_call lib/event.c:2011 > #13 0x7fd447442ff1 in frr_run lib/libfrr.c:1216 > #14 0x560f8bef0a15 in main bgpd/bgp_main.c:545 > #15 0x7fd446e29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Signed-off-by: Louis Scalbert <[email protected]>

Seen with isis_srv6_topo1 topotest. > ==178793==ERROR: LeakSanitizer: detected memory leaks > > Direct leak of 56 byte(s) in 1 object(s) allocated from: > #0 0x7f3f63cb4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 > #1 0x7f3f6366f8dd in qcalloc lib/memory.c:105 > #2 0x561b810c62b7 in isis_srv6_sid_alloc isisd/isis_srv6.c:243 > #3 0x561b8111f944 in isis_zebra_srv6_sid_notify isisd/isis_zebra.c:1534 > #4 0x7f3f637df9d7 in zclient_read lib/zclient.c:4845 > #5 0x7f3f637779b2 in event_call lib/event.c:2011 > #6 0x7f3f63642ff1 in frr_run lib/libfrr.c:1216 > #7 0x561b81018bf2 in main isisd/isis_main.c:360 > #8 0x7f3f63029d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Fixes: 0af0f46 ("isisd: Receive SRv6 SIDs notifications from zebra") Signed-off-by: Louis Scalbert <[email protected]>

A heap use after free when enabling bmp mirror on a non connected BMP target. > Apr 22 14:06:49 vRR-DUT systemd[1]: Started bfdd. > Apr 22 14:06:51 vRR-DUT bgpd[1522]: [VTCF0-ZHP6C] bmp: missing TX OPEN message for peer Static announcement > Apr 22 14:06:51 vRR-DUT bgpd[1522]: [K3RM9-4A4HY] bmp: missing RX OPEN message for peer Static announcement > Apr 22 14:06:52 vRR-DUT bgpd[1522]: ================================================================= > Apr 22 14:06:52 vRR-DUT bgpd[1522]: ==1522==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f0000321d0 at pc 0x7fe7f11c548e bp 0x7fff49f80d40 sp 0x7fff49f80d30 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: READ of size 8 at 0x60f0000321d0 thread T0 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #0 0x7fe7f11c548d in typesafe_list_add /build/make-pkg/output/_packages/cp-routing/src/lib/typesafe.h:161 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #1 0x7fe7f11c9347 in bmp_mirrorq_add_tail /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_bmp.c:116 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #2 0x7fe7f11d030f in bmp_mirror_packet /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_bmp.c:867 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #3 0x55c756de3e20 in hook_call_bgp_packet_dump /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_packet.c:55 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #4 0x55c756dfd5ea in bgp_process_packet /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_packet.c:3699 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #5 0x7fe7f5375237 in event_call (/lib/x86_64-linux-gnu/libfrr.so.0+0x375237) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #6 0x7fe7f5242ecf in frr_run (/lib/x86_64-linux-gnu/libfrr.so.0+0x242ecf) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #7 0x55c756c71804 in main /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_main.c:545 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #8 0x7fe7f4c29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #9 0x7fe7f4c29e3f in __libc_start_main_impl ../csu/libc-start.c:392 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #10 0x55c756c6e384 in _start (/usr/bin/bgpd+0x272384) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x60f0000321d0 is located 0 bytes inside of 162-byte region [0x60f0000321d0,0x60f000032272) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: freed by thread T0 here: > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #0 0x7fe7f58b4537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #1 0x7fe7f526f918 in qfree (/lib/x86_64-linux-gnu/libfrr.so.0+0x26f918) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #2 0x7fe7f11d057b in bmp_mirror_packet /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_bmp.c:875 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #3 0x55c756de3e20 in hook_call_bgp_packet_dump /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_packet.c:55 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #4 0x55c756dfd5ea in bgp_process_packet /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_packet.c:3699 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #5 0x7fe7f5375237 in event_call (/lib/x86_64-linux-gnu/libfrr.so.0+0x375237) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #6 0x7fe7f5242ecf in frr_run (/lib/x86_64-linux-gnu/libfrr.so.0+0x242ecf) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #7 0x55c756c71804 in main /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_main.c:545 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #8 0x7fe7f4c29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: previously allocated by thread T0 here: > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #0 0x7fe7f58b4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #1 0x7fe7f526f7c6 in qcalloc (/lib/x86_64-linux-gnu/libfrr.so.0+0x26f7c6) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #2 0x7fe7f11cfd38 in bmp_mirror_packet /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_bmp.c:835 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #3 0x55c756de3e20 in hook_call_bgp_packet_dump /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_packet.c:55 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #4 0x55c756dfd5ea in bgp_process_packet /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_packet.c:3699 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #5 0x7fe7f5375237 in event_call (/lib/x86_64-linux-gnu/libfrr.so.0+0x375237) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #6 0x7fe7f5242ecf in frr_run (/lib/x86_64-linux-gnu/libfrr.so.0+0x242ecf) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #7 0x55c756c71804 in main /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_main.c:545 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #8 0x7fe7f4c29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: SUMMARY: AddressSanitizer: heap-use-after-free /build/make-pkg/output/_packages/cp-routing/src/lib/typesafe.h:161 in typesafe_list_add > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Shadow bytes around the buggy address: > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe3e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe3f0: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa 00 00 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe410: 00 00 00 00 fa fa fa fa fa fa fa fa 00 00 00 00 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: =>0x0c1e7fffe430: 00 fa fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe440: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Shadow byte legend (one shadow byte represents 8 application bytes): > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Addressable: 00 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Partially addressable: 01 02 03 04 05 06 07 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Heap left redzone: fa > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Freed heap region: fd > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Stack left redzone: f1 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Stack mid redzone: f2 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Stack right redzone: f3 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Stack after return: f5 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Stack use after scope: f8 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Global redzone: f9 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Global init order: f6 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Poisoned by user: f7 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Container overflow: fc > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Array cookie: ac > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Intra object redzone: bb > Apr 22 14:06:52 vRR-DUT bgpd[1522]: ASan internal: fe > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Left alloca redzone: ca > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Right alloca redzone: cb > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Shadow gap: cc > Apr 22 14:06:52 vRR-DUT bgpd[1522]: ==1522==ABORTING > Apr 22 14:06:52 vRR-DUT yams[449]: CONFIG: [{'name': 'ttyS0'}] > Apr 22 14:06:52 vRR-DUT zebra[652]: [GE156-FS0MJ][EC 100663299] stream_read_try: read failed on fd 50: Connection reset by peer > Apr 22 14:06:52 vRR-DUT systemd[1]: bgpd.service: Main process exited, code=exited, status=1/FAILURE > Apr 22 14:06:52 vRR-DUT zebra[652]: [GE156-FS0MJ][EC 100663299] stream_read_try: read failed on fd 39: Connection reset by peer > Apr 22 14:06:52 vRR-DUT systemd[1]: bgpd.service: Failed with result 'exit-code'. > Apr 22 14:06:52 vRR-DUT zebra[652]: [N5M5Y-J5BPG][EC 4043309121] Client 'bgp' (session id 0) encountered an error and is shutting down. > Apr 22 14:06:52 vRR-DUT systemd[1]: bgpd.service: Consumed 2.361s CPU time. > Apr 22 14:06:52 vRR-DUT zebra[652]: [N5M5Y-J5BPG][EC 4043309121] Client 'bgp' (session id 1) encountered an error and is shutting down. > Apr 22 14:06:52 vRR-DUT zebra[652]: [JPSA8-5KYEA] client 39 disconnected 0 bgp routes removed from the rib > Apr 22 14:06:52 vRR-DUT zebra[652]: [S929C-NZR3N] client 39 disconnected 0 bgp nhgs removed from the rib > Apr 22 14:06:52 vRR-DUT zebra[652]: [KQB7H-NPVW9] /build/make-pkg/output/_packages/cp-routing/src/zebra/zebra_ptm.c:1285 failed to find process pid registration > Apr 22 14:06:52 vRR-DUT zebra[652]: [JPSA8-5KYEA] client 50 disconnected 0 bgp routes removed from the rib > Apr 22 14:06:52 vRR-DUT zebra[652]: [S929C-NZR3N] client 50 disconnected 0 bgp nhgs removed from the rib > Do not enqueue item in the mirror queue if no reference count has been found in the connection list. Fixes: b1ebe54 ("bgpd: bmp, handle imported bgp instances in bmp_mirror") Signed-off-by: Philippe Guibert <[email protected]>

Fix for pcep counters show with null session

876d596

- also fixed a few minor compilation warnings

bradyallenjohnson requested a review from sylane April 15, 2020 09:01

sylane approved these changes Apr 15, 2020

View reviewed changes

sylane merged commit 35836dc into pathd-pcep Apr 15, 2020

sylane deleted the pathd_pcep_fix_counters_null_session branch July 22, 2020 09:45

eqvinox added a commit that referenced this pull request Apr 26, 2022

fixup bsm #6

122edcf

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix for pcep counters show with null session #6

Fix for pcep counters show with null session #6

bradyallenjohnson commented Apr 15, 2020

Fix for pcep counters show with null session #6

Fix for pcep counters show with null session #6

Conversation

bradyallenjohnson commented Apr 15, 2020