Skip to content

Commit

Permalink
zebra: Fix crash when dplane_fpm_nl fails to process received routes
Browse files Browse the repository at this point in the history
When `dplane_fpm_nl` receives a route, it allocates memory for a dplane
context and calls `netlink_route_change_read_unicast_internal` without
initializing the `intf_extra_list` contained in the dplane context. If
`netlink_route_change_read_unicast_internal` is not able to process the
route, we call `dplane_ctx_fini` to free the dplane context. This causes
a crash because `dplane_ctx_fini` attempts to access the intf_extra_list
which is not initialized.

To solve this issue, we can call `dplane_ctx_route_init`to initialize
the dplane route context properly, just after the dplane context
allocation.

(gdb) bt
#0 0x0000555dd5ceae80 in dplane_intf_extra_list_pop (h=0x7fae1c007e68) at ../zebra/zebra_dplane.c:427
#1 dplane_ctx_free_internal (ctx=0x7fae1c0074b0) at ../zebra/zebra_dplane.c:724
#2 0x0000555dd5cebc99 in dplane_ctx_free (pctx=0x7fae2aa88c98) at ../zebra/zebra_dplane.c:869
#3 dplane_ctx_free (pctx=0x7fae2aa88c98, pctx@entry=0x7fae2aa78c28) at ../zebra/zebra_dplane.c:855
#4 dplane_ctx_fini (pctx=pctx@entry=0x7fae2aa88c98) at ../zebra/zebra_dplane.c:890
#5 0x00007fae31e93f29 in fpm_read (t=) at ../zebra/dplane_fpm_nl.c:605
#6 0x00007fae325191dd in thread_call (thread=thread@entry=0x7fae2aa98da0) at ../lib/thread.c:2006
#7 0x00007fae324c42b8 in fpt_run (arg=0x555dd74777c0) at ../lib/frr_pthread.c:309
#8 0x00007fae32405ea7 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
#9 0x00007fae32325a2f in clone () from /lib/x86_64-linux-gnu/libc.so.6

Fixes: #13754
Signed-off-by: Carmine Scarpitta <[email protected]>
  • Loading branch information
cscarpitta committed Jul 7, 2023
1 parent 745a0fc commit 7f2dec4
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion zebra/dplane_fpm_nl.c
Original file line number Diff line number Diff line change
Expand Up @@ -587,7 +587,8 @@ static void fpm_read(struct event *t)
switch (hdr->nlmsg_type) {
case RTM_NEWROUTE:
ctx = dplane_ctx_alloc();
dplane_ctx_set_op(ctx, DPLANE_OP_ROUTE_NOTIFY);
dplane_ctx_route_init(ctx, DPLANE_OP_ROUTE_NOTIFY, NULL,
NULL);
if (netlink_route_change_read_unicast_internal(
hdr, 0, false, ctx) != 1) {
dplane_ctx_fini(&ctx);
Expand Down

0 comments on commit 7f2dec4

Please sign in to comment.