-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
support redistribute vrf function #1
Conversation
Just a few things we should do before submitting the code:
I can help with all the above items. |
Fix crash on "show bgp all" when BGP EVPN is set. > #0 raise (sig=11) at ../sysdeps/unix/sysv/linux/raise.c:50 > #1 0x00007fdfe03cf53c in core_handler (signo=11, siginfo=0x7ffdebbffe30, context=0x7ffdebbffd00) at lib/sigevent.c:261 > FRRouting#2 <signal handler called> > FRRouting#3 0x00000000004d4fec in bgp_attr_get_community (attr=0x41) at bgpd/bgp_attr.h:553 > FRRouting#4 0x00000000004eee84 in bgp_show_table (vty=0x1a790d0, bgp=0x19d0a00, safi=SAFI_EVPN, table=0x19f6010, type=bgp_show_type_normal, output_arg=0x0, rd=0x0, is_last=1, output_cum=0x0, > total_cum=0x0, json_header_depth=0x7ffdebc00bf8, show_flags=4, rpki_target_state=RPKI_NOT_BEING_USED) at bgpd/bgp_route.c:11329 > FRRouting#5 0x00000000004f7765 in bgp_show (vty=0x1a790d0, bgp=0x19d0a00, afi=AFI_L2VPN, safi=SAFI_EVPN, type=bgp_show_type_normal, output_arg=0x0, show_flags=4, > rpki_target_state=RPKI_NOT_BEING_USED) at bgpd/bgp_route.c:11814 > FRRouting#6 0x00000000004fb53b in show_ip_bgp_magic (self=0x6752b0 <show_ip_bgp_cmd>, vty=0x1a790d0, argc=3, argv=0x19cb050, viewvrfname=0x0, all=0x1395390 "all", aa_nn=0x0, community_list=0, > community_list_str=0x0, community_list_name=0x0, as_path_filter_name=0x0, prefix_list=0x0, accesslist_name=0x0, rmap_name=0x0, version=0, version_str=0x0, alias_name=0x0, > orr_group_name=0x0, detail_routes=0x0, uj=0x0, detail_json=0x0, wide=0x0) at bgpd/bgp_route.c:13040 > FRRouting#7 0x00000000004fa322 in show_ip_bgp (self=0x6752b0 <show_ip_bgp_cmd>, vty=0x1a790d0, argc=3, argv=0x19cb050) at ./bgpd/bgp_route_clippy.c:519 > FRRouting#8 0x00007fdfe033ccc8 in cmd_execute_command_real (vline=0x19c9300, filter=FILTER_RELAXED, vty=0x1a790d0, cmd=0x0, up_level=0) at lib/command.c:996 > FRRouting#9 0x00007fdfe033c739 in cmd_execute_command (vline=0x19c9300, vty=0x1a790d0, cmd=0x0, vtysh=0) at lib/command.c:1056 > FRRouting#10 0x00007fdfe033cdf5 in cmd_execute (vty=0x1a790d0, cmd=0x19c9eb0 "show bgp all", matched=0x0, vtysh=0) at lib/command.c:1223 > FRRouting#11 0x00007fdfe03f65c6 in vty_command (vty=0x1a790d0, buf=0x19c9eb0 "show bgp all") at lib/vty.c:486 > FRRouting#12 0x00007fdfe03f603b in vty_execute (vty=0x1a790d0) at lib/vty.c:1249 > FRRouting#13 0x00007fdfe03f533b in vtysh_read (thread=0x7ffdebc03838) at lib/vty.c:2148 > FRRouting#14 0x00007fdfe03e815d in thread_call (thread=0x7ffdebc03838) at lib/thread.c:2006 > FRRouting#15 0x00007fdfe0379b54 in frr_run (master=0x1246880) at lib/libfrr.c:1198 > FRRouting#16 0x000000000042b2a8 in main (argc=7, argv=0x7ffdebc03af8) at bgpd/bgp_main.c:520 Link: FRRouting#12576 Signed-off-by: Louis Scalbert <[email protected]>
After we call subgroup_announce_check(), we leave communities, large-communities that are modified by route-maps uninterned, and here we have a memory leak. ``` ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323:Direct leak of 80 byte(s) in 2 object(s) allocated from: ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- #0 0x7f0858d90037 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- #1 0x7f08589b15b2 in qcalloc lib/memory.c:105 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#2 0x561f5c4e08d2 in lcommunity_new bgpd/bgp_lcommunity.c:28 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#3 0x561f5c4e11d9 in lcommunity_dup bgpd/bgp_lcommunity.c:141 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#4 0x561f5c5c3b8b in route_set_lcommunity bgpd/bgp_routemap.c:2491 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#5 0x7f0858a177a5 in route_map_apply_ext lib/routemap.c:2675 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#6 0x561f5c5696f9 in subgroup_announce_check bgpd/bgp_route.c:2352 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#7 0x561f5c5fb728 in subgroup_announce_table bgpd/bgp_updgrp_adv.c:682 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#8 0x561f5c5fbd95 in subgroup_announce_route bgpd/bgp_updgrp_adv.c:765 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#9 0x561f5c5f6105 in peer_af_announce_route bgpd/bgp_updgrp.c:2187 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#10 0x561f5c5790be in bgp_announce_route_timer_expired bgpd/bgp_route.c:5032 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#11 0x7f0858a76e4e in thread_call lib/thread.c:1991 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#12 0x7f0858974c24 in frr_run lib/libfrr.c:1185 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#13 0x561f5c3e955d in main bgpd/bgp_main.c:505 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#14 0x7f08583a9d09 in __libc_start_main ../csu/libc-start.c:308 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323:Indirect leak of 144 byte(s) in 2 object(s) allocated from: ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- #0 0x7f0858d8fe8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- #1 0x7f08589b1579 in qmalloc lib/memory.c:100 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#2 0x561f5c4e1282 in lcommunity_dup bgpd/bgp_lcommunity.c:144 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#3 0x561f5c5c3b8b in route_set_lcommunity bgpd/bgp_routemap.c:2491 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#4 0x7f0858a177a5 in route_map_apply_ext lib/routemap.c:2675 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#5 0x561f5c5696f9 in subgroup_announce_check bgpd/bgp_route.c:2352 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#6 0x561f5c5fb728 in subgroup_announce_table bgpd/bgp_updgrp_adv.c:682 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#7 0x561f5c5fbd95 in subgroup_announce_route bgpd/bgp_updgrp_adv.c:765 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#8 0x561f5c5f6105 in peer_af_announce_route bgpd/bgp_updgrp.c:2187 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#9 0x561f5c5790be in bgp_announce_route_timer_expired bgpd/bgp_route.c:5032 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#10 0x7f0858a76e4e in thread_call lib/thread.c:1991 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#11 0x7f0858974c24 in frr_run lib/libfrr.c:1185 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#12 0x561f5c3e955d in main bgpd/bgp_main.c:505 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- FRRouting#13 0x7f08583a9d09 in __libc_start_main ../csu/libc-start.c:308 ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323- ./bgp_large_community.test_bgp_large_community_topo_2/r1.bgpd.asan.2465323-SUMMARY: AddressSanitizer: 224 byte(s) leaked in 4 allocation(s). ``` Signed-off-by: Donatas Abraitis <[email protected]>
``` donatas-pc# show bgp all detail-routes For address family: IPv4 Unicast BGP table version is 11, local router ID is 192.168.10.17, vrf id 0 Default local pref 100, local AS 65002 BGP routing table entry for 10.0.2.0/24, version 1 Paths: (1 available, best #1, table default) Advertised to non peer-group peers: 192.168.10.124 65001 192.168.10.124 from 192.168.10.124 (200.200.200.202) Origin incomplete, metric 0, valid, external, otc 65001, best (First path received) Last update: Tue Dec 20 12:11:52 2022 BGP routing table entry for 10.10.100.0/24, version 2 Paths: (1 available, best #1, table default) Advertised to non peer-group peers: 192.168.10.124 65001 192.168.10.124 from 192.168.10.124 (200.200.200.202) Origin IGP, metric 0, valid, external, otc 65001, best (First path received) Last update: Tue Dec 20 12:11:52 2022 BGP routing table entry for 172.16.31.1/32, version 3 Paths: (1 available, best #1, table default) Advertised to non peer-group peers: 192.168.10.124 65001 192.168.10.124 from 192.168.10.124 (200.200.200.202) Origin incomplete, metric 0, valid, external, otc 65001, best (First path received) Last update: Tue Dec 20 12:11:52 2022 ``` Signed-off-by: Donatas Abraitis <[email protected]>
``` unet> sh pe2 vtysh -c 'sh ip bgp ipv4 vpn detail-routes' BGP table version is 4, local router ID is 10.10.10.20, vrf id 0 Default local pref 100, local AS 65001 Route Distinguisher: 192.168.2.2:2 BGP routing table entry for 192.168.2.2:2:10.0.0.0/24, version 1 not allocated Paths: (1 available, best #1) Not advertised to any peer 65000 192.168.2.1 from 0.0.0.0 (10.10.10.20) vrf RED(4) announce-nh-self Origin incomplete, metric 0, localpref 50, valid, sourced, local, best (First path received) Extended Community: RT:192.168.2.2:2 Originator: 10.10.10.20 Remote label: 2222 Last update: Tue Dec 20 13:01:20 2022 BGP routing table entry for 192.168.2.2:2:172.16.255.1/32, version 2 not allocated Paths: (1 available, best #1) Not advertised to any peer 65000 192.168.2.1 from 0.0.0.0 (10.10.10.20) vrf RED(4) announce-nh-self Origin incomplete, localpref 50, valid, sourced, local, best (First path received) Extended Community: RT:192.168.2.2:2 Originator: 10.10.10.20 Remote label: 2222 Last update: Tue Dec 20 13:01:20 2022 BGP routing table entry for 192.168.2.2:2:192.168.1.0/24, version 3 not allocated Paths: (1 available, best #1) Not advertised to any peer 65000 192.168.2.1 from 0.0.0.0 (10.10.10.20) vrf RED(4) announce-nh-self Origin incomplete, localpref 50, valid, sourced, local, best (First path received) Extended Community: RT:192.168.2.2:2 Originator: 10.10.10.20 Remote label: 2222 Last update: Tue Dec 20 13:01:20 2022 BGP routing table entry for 192.168.2.2:2:192.168.2.0/24, version 4 not allocated Paths: (1 available, best #1) Not advertised to any peer 65000 192.168.2.1 from 0.0.0.0 (10.10.10.20) vrf RED(4) announce-nh-self Origin incomplete, metric 0, localpref 50, valid, sourced, local, best (First path received) Extended Community: RT:192.168.2.2:2 Originator: 10.10.10.20 Remote label: 2222 Last update: Tue Dec 20 13:01:20 2022 Displayed 4 routes and 4 total paths ``` Signed-off-by: Donatas Abraitis <[email protected]>
Prevent a use after free and tell the bfd subsystem we are shutting down in staticd. ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460:==2264460==ERROR: AddressSanitizer: heap-use-after-free on address 0x61f000004698 at pc 0x7f65d1eb11b2 bp 0x7ffdbface490 sp 0x7ffdbface488 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460-READ of size 4 at 0x61f000004698 thread T0 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- #0 0x7f65d1eb11b1 in zclient_bfd_command lib/bfd.c:307 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- #1 0x7f65d1eb20f5 in _bfd_sess_send lib/bfd.c:507 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- FRRouting#2 0x7f65d20510aa in thread_call lib/thread.c:1989 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- FRRouting#3 0x7f65d2051f0a in _thread_execute lib/thread.c:2081 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- FRRouting#4 0x7f65d1eb271b in _bfd_sess_remove lib/bfd.c:544 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- FRRouting#5 0x7f65d1eb278d in bfd_sess_free lib/bfd.c:553 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- FRRouting#6 0x7f65d1eb5400 in bfd_protocol_integration_finish lib/bfd.c:1029 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- FRRouting#7 0x7f65d1f42f77 in hook_call_frr_fini lib/libfrr.c:41 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- FRRouting#8 0x7f65d1f494a1 in frr_fini lib/libfrr.c:1199 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- FRRouting#9 0x563b7abefd76 in sigint staticd/static_main.c:70 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- FRRouting#10 0x7f65d200ef91 in frr_sigevent_process lib/sigevent.c:115 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- FRRouting#11 0x7f65d204fac6 in thread_fetch lib/thread.c:1758 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- FRRouting#12 0x7f65d1f49377 in frr_run lib/libfrr.c:1184 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- FRRouting#13 0x563b7abefed1 in main staticd/static_main.c:160 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- FRRouting#14 0x7f65d1b92d09 in __libc_start_main ../csu/libc-start.c:308 ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- FRRouting#15 0x563b7abefa99 in _start (/usr/lib/frr/staticd+0x15a99) ./bfd_topo3.test_bfd_topo3/r4.staticd.asan.2264460- Signed-off-by: Donald Sharp <[email protected]>
Memory leaks are observed in the cleanup code. When “no router bgp" is executed, cleanup in that flow for aggregate-address command is not taken care. fixes the below leak: -- ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444:Direct leak of 152 byte(s) in 1 object(s) allocated from: ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #0 0x7f163e911037 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #1 0x7f163e4b9259 in qcalloc lib/memory.c:105 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#2 0x562bf42ebbd5 in bgp_aggregate_new bgpd/bgp_route.c:7239 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#3 0x562bf42f14e8 in bgp_aggregate_set bgpd/bgp_route.c:8421 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#4 0x562bf42f1e55 in aggregate_addressv6_magic bgpd/bgp_route.c:8592 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#5 0x562bf42be3f5 in aggregate_addressv6 bgpd/bgp_route_clippy.c:341 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#6 0x7f163e3f1e1b in cmd_execute_command_real lib/command.c:988 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#7 0x7f163e3f219c in cmd_execute_command lib/command.c:1048 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#8 0x7f163e3f2df4 in cmd_execute lib/command.c:1215 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#9 0x7f163e5a2d73 in vty_command lib/vty.c:544 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#10 0x7f163e5a79c8 in vty_execute lib/vty.c:1307 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#11 0x7f163e5ad299 in vtysh_read lib/vty.c:2216 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#12 0x7f163e593f16 in event_call lib/event.c:1995 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#13 0x7f163e47c839 in frr_run lib/libfrr.c:1185 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#14 0x562bf414e58d in main bgpd/bgp_main.c:505 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#15 0x7f163de66d09 in __libc_start_main ../csu/libc-start.c:308 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444:Direct leak of 152 byte(s) in 1 object(s) allocated from: ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #0 0x7f163e911037 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #1 0x7f163e4b9259 in qcalloc lib/memory.c:105 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#2 0x562bf42ebbd5 in bgp_aggregate_new bgpd/bgp_route.c:7239 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#3 0x562bf42f14e8 in bgp_aggregate_set bgpd/bgp_route.c:8421 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#4 0x562bf42f1cde in aggregate_addressv4_magic bgpd/bgp_route.c:8543 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#5 0x562bf42bd258 in aggregate_addressv4 bgpd/bgp_route_clippy.c:255 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#6 0x7f163e3f1e1b in cmd_execute_command_real lib/command.c:988 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#7 0x7f163e3f219c in cmd_execute_command lib/command.c:1048 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#8 0x7f163e3f2df4 in cmd_execute lib/command.c:1215 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#9 0x7f163e5a2d73 in vty_command lib/vty.c:544 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#10 0x7f163e5a79c8 in vty_execute lib/vty.c:1307 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#11 0x7f163e5ad299 in vtysh_read lib/vty.c:2216 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#12 0x7f163e593f16 in event_call lib/event.c:1995 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#13 0x7f163e47c839 in frr_run lib/libfrr.c:1185 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#14 0x562bf414e58d in main bgpd/bgp_main.c:505 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#15 0x7f163de66d09 in __libc_start_main ../csu/libc-start.c:308 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444-SUMMARY: AddressSanitizer: 304 byte(s) leaked in 2 allocation(s). Signed-off-by: Samanvitha B Bhargav <[email protected]>
two things: On shutdown cleanup any events associated with the update walker. Also do not allow new events to be created. Fixes this mem-leak: ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790:Direct leak of 8 byte(s) in 1 object(s) allocated from: ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790- #0 0x7f0dd0b08037 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790- #1 0x7f0dd06c19f9 in qcalloc lib/memory.c:105 ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790- FRRouting#2 0x55b42fb605bc in rib_update_ctx_init zebra/zebra_rib.c:4383 ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790- FRRouting#3 0x55b42fb6088f in rib_update zebra/zebra_rib.c:4421 ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790- FRRouting#4 0x55b42fa00344 in netlink_link_change zebra/if_netlink.c:2221 ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790- FRRouting#5 0x55b42fa24622 in netlink_information_fetch zebra/kernel_netlink.c:399 ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790- FRRouting#6 0x55b42fa28c02 in netlink_parse_info zebra/kernel_netlink.c:1183 ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790- FRRouting#7 0x55b42fa24951 in kernel_read zebra/kernel_netlink.c:493 ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790- FRRouting#8 0x7f0dd0797f0c in event_call lib/event.c:1995 ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790- FRRouting#9 0x7f0dd0684fd9 in frr_run lib/libfrr.c:1185 ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790- FRRouting#10 0x55b42fa30caa in main zebra/main.c:465 ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790- FRRouting#11 0x7f0dd01b5d09 in __libc_start_main ../csu/libc-start.c:308 ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790- ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790-SUMMARY: AddressSanitizer: 8 byte(s) leaked in 1 allocation(s). Signed-off-by: Donald Sharp <[email protected]>
kttps://datatracker.ietf.org/doc/html/draft-ietf-idr-node-target-ext-comm unet> sh r1 vtysh -c 'sh ip bgp nei 192.168.1.2 adver' BGP table version is 1, local router ID is 192.168.1.1, vrf id 0 Default local pref 100, local AS 65001 Status codes: s suppressed, d damped, h history, * valid, > best, = multipath, i internal, r RIB-failure, S Stale, R Removed Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *> 10.10.10.10/32 0.0.0.0 0 32768 i Total number of prefixes 1 unet> sh r1 vtysh -c 'sh ip bgp nei 192.168.1.3 adver' BGP table version is 1, local router ID is 192.168.1.1, vrf id 0 Default local pref 100, local AS 65001 Status codes: s suppressed, d damped, h history, * valid, > best, = multipath, i internal, r RIB-failure, S Stale, R Removed Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *> 10.10.10.10/32 0.0.0.0 0 32768 i Total number of prefixes 1 unet> sh r2 vtysh -c 'show ip bgp 10.10.10.10/32' % Network not in table unet> sh r3 vtysh -c 'show ip bgp 10.10.10.10/32' BGP routing table entry for 10.10.10.10/32, version 1 Paths: (1 available, best #1, table default) Advertised to non peer-group peers: 192.168.1.1 65001 192.168.1.1 from 192.168.1.1 (192.168.1.1) Origin IGP, metric 0, valid, external, best (First path received) Extended Community: NT:192.168.1.3 NT:192.168.1.4 Last update: Tue Apr 11 23:19:33 2023 unet> Signed-off-by: Donatas Abraitis <[email protected]>
bgpd/bgp_vty.c
Outdated
afi = vpn_policy_getafi(vty, bgp, true); | ||
if (afi == AFI_MAX) | ||
return CMD_WARNING_CONFIG_FAILED; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suggest to replace these lines with something like this:
afi = bgp_node_afi(vty);
safi = bgp_node_safi(vty);
if ((SAFI_UNICAST != safi) || ((AFI_IP != afi) && (AFI_IP6 != afi))) {
vty_out(vty, "%% redistribute vrf is valid only for unicast ipv4|ipv6\n");
return CMD_WARNING_CONFIG_FAILED;
}
and leave the vpn_policy_getafi
function unchanged.
This should be equivalent to your implementation, but it doesn't change the vpn_policy_getafi
function which is used in some other places.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done for this. Thanks for your comments.
bgpd/bgp_vty.c
Outdated
@@ -8639,7 +8639,7 @@ static afi_t vpn_policy_getafi(struct vty *vty, struct bgp *bgp, bool v2vimport) | |||
"%% context error: valid only in address-family <ipv4|ipv6> unicast block\n"); | |||
return AFI_MAX; | |||
} | |||
|
|||
#if 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now the function vpn_policy_getafi()
is never called from your code, right?
I think there is no reason to change it. Can we remove the #if 0
directive and leave vpn_policy_getafi()
unchanged?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok... I'm sorry, I forgot to restore it.
Example configuration: router bgp 100 vrf vrf-1 address-family ipv4 unicast rd vpn export 1:1 rt vpn both 1:1 export vpn import vpn redistribute vrf vrf-2 exit-address-family ! ! router bgp 100 vrf vrf-2 neighbor 2.2.2.2 remote-as 1 address-family ipv4 unicast rd vpn export 2:2 rt vpn both 2:2 neighbor 2.2.2.2 activate exit-address-family ! ! BGP routes learned from the neighbor 2.2.2.2 under VRF-1 can be directly copied to the BGP under VRF-1 without carrying the RD and RT attributes of VRF-1. After being copied to VRF-1, the routes will be sent to VPN with the RD 1:1 and RT 1:1 attributes, forming BGP-VPN routes. Signed-off-by: Jack.Zhang <[email protected]>
Signed-off-by: Jack.Zhang <[email protected]>
This commit adds a new test case.The new test case performs three operations: install routes in vrf1. set redistribute vrf vrf1 command on vrf2. check the copying routes by vrf1 in vrf2. Signed-off-by: Jack.Zhang <[email protected]>
This commit addresses a memory leak issue in the BGP Flowspec NLRI parsing function. Previously when processing NLRI, dynamically allocated memory to `temp` was not being freed, leading to a memory leak. The commit introduces the necessary code (XFREE) to properly free the temp memory after processing Flowspec NLRI. The ASan leak log for reference: ``` ./bgp_flowspec.test_bgp_flowspec_topo/r1.bgpd.asan.687689:Direct leak of 56 byte(s) in 2 object(s) allocated from: ./bgp_flowspec.test_bgp_flowspec_topo/r1.bgpd.asan.687689- #0 0x7fc9872b5037 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 ./bgp_flowspec.test_bgp_flowspec_topo/r1.bgpd.asan.687689- #1 0x7fc986e5b1ee in qcalloc lib/memory.c:105 ./bgp_flowspec.test_bgp_flowspec_topo/r1.bgpd.asan.687689- FRRouting#2 0x560421351bfe in bgp_nlri_parse_flowspec bgpd/bgp_flowspec.c:155 ./bgp_flowspec.test_bgp_flowspec_topo/r1.bgpd.asan.687689- FRRouting#3 0x56042107d01c in bgp_nlri_parse bgpd/bgp_packet.c:350 ./bgp_flowspec.test_bgp_flowspec_topo/r1.bgpd.asan.687689- FRRouting#4 0x560421086cf3 in bgp_update_receive bgpd/bgp_packet.c:2023 ./bgp_flowspec.test_bgp_flowspec_topo/r1.bgpd.asan.687689- FRRouting#5 0x56042108deed in bgp_process_packet bgpd/bgp_packet.c:2933 ./bgp_flowspec.test_bgp_flowspec_topo/r1.bgpd.asan.687689- FRRouting#6 0x7fc986f35bf7 in event_call lib/event.c:1995 ./bgp_flowspec.test_bgp_flowspec_topo/r1.bgpd.asan.687689- FRRouting#7 0x7fc986e1e99d in frr_run lib/libfrr.c:1185 ./bgp_flowspec.test_bgp_flowspec_topo/r1.bgpd.asan.687689- FRRouting#8 0x560420f3f59d in main bgpd/bgp_main.c:505 ./bgp_flowspec.test_bgp_flowspec_topo/r1.bgpd.asan.687689- FRRouting#9 0x7fc986805d09 in __libc_start_main ../csu/libc-start.c:308 ``` Signed-off-by: Keelan Cannoo <[email protected]>
Fixes a crash associated with attempting to read beyond the end of the stream when parsing ASLA Sub-TLV. ``` Program received signal SIGABRT, Aborted. __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. (gdb) bt #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 #1 0x00007ffff7830859 in __GI_abort () at abort.c:79 FRRouting#2 0x00007ffff7d51321 in _zlog_assert_failed (xref=xref@entry=0x7ffff7e306c0 <_xref.19624>, extra=extra@entry=0x0) at lib/zlog.c:667 FRRouting#3 0x00007ffff7ca802c in stream_getc (s=0x55555593d2a0) at lib/stream.c:353 FRRouting#4 0x00005555556421eb in unpack_item_ext_subtlv_asla (mtid=<optimized out>, exts=<optimized out>, indent=<optimized out>, log=<optimized out>, s=<optimized out>, subtlv_len=13 '\r') at isisd/isis_tlvs.c:1473 FRRouting#5 unpack_item_ext_subtlvs (indent=10, dest=0x555555940ca0, log=0x55555593af40 <logbuf>, s=0x55555593d2a0, len=16 '\020', mtid=2404) at isisd/isis_tlvs.c:2077 FRRouting#6 unpack_item_extended_reach (mtid=2404, len=<optimized out>, s=0x55555593d2a0, log=0x55555593af40 <logbuf>, dest=<optimized out>, indent=6) at isisd/isis_tlvs.c:3264 FRRouting#7 0x0000555555617bed in unpack_item (indent=6, dest=<optimized out>, log=<optimized out>, s=<optimized out>, len=<optimized out>, tlv_type=<optimized out>, context=<optimized out>, mtid=<optimized out>) at isisd/isis_tlvs.c:6078 FRRouting#8 unpack_tlv_with_items (context=<optimized out>, tlv_type=<optimized out>, tlv_len=80 'P', s=0x55555593d2a0, log=0x55555593af40 <logbuf>, dest=<optimized out>, indent=4) at isisd/isis_tlvs.c:6142 FRRouting#9 0x0000555555616f9a in unpack_tlv (unpacked_known_tlvs=<optimized out>, indent=2, dest=<optimized out>, log=0x55555593af40 <logbuf>, stream=<optimized out>, avail_len=<optimized out>, context=<optimized out>) at isisd/isis_tlvs.c:7032 FRRouting#10 unpack_tlvs (context=ISIS_CONTEXT_LSP, avail_len=97, stream=0x55555593d2a0, log=0x55555593af40 <logbuf>, dest=0x5555559408d0, indent=0, unpacked_known_tlvs=0x0) at isisd/isis_tlvs.c:7054 FRRouting#11 0x0000555555647ea8 in isis_unpack_tlvs (avail_len=97, stream=0x55555593d2a0, dest=0x7fffffffd7c8, log=0x7fffffffd7d0) at isisd/isis_tlvs.c:7085 FRRouting#12 0x000055555559c278 in test (input=0x7ffff79fa980 <_IO_2_1_stdin_>, output=0x7ffff79fb6a0 <_IO_2_1_stdout_>) at tests/isisd/test_fuzz_isis_tlv.c:101 FRRouting#13 0x0000555555598f0b in main (argc=<optimized out>, argv=<optimized out>) at tests/isisd/test_fuzz_isis_tlv_tests.h:4270 (gdb) ``` Caught by fuzzer. Signed-off-by: Carmine Scarpitta <[email protected]>
When `dplane_fpm_nl` receives a route, it allocates memory for a dplane context and calls `netlink_route_change_read_unicast_internal` without initializing the `intf_extra_list` contained in the dplane context. If `netlink_route_change_read_unicast_internal` is not able to process the route, we call `dplane_ctx_fini` to free the dplane context. This causes a crash because `dplane_ctx_fini` attempts to access the intf_extra_list which is not initialized. To solve this issue, we can call `dplane_ctx_route_init`to initialize the dplane route context properly, just after the dplane context allocation. (gdb) bt #0 0x0000555dd5ceae80 in dplane_intf_extra_list_pop (h=0x7fae1c007e68) at ../zebra/zebra_dplane.c:427 #1 dplane_ctx_free_internal (ctx=0x7fae1c0074b0) at ../zebra/zebra_dplane.c:724 FRRouting#2 0x0000555dd5cebc99 in dplane_ctx_free (pctx=0x7fae2aa88c98) at ../zebra/zebra_dplane.c:869 FRRouting#3 dplane_ctx_free (pctx=0x7fae2aa88c98, pctx@entry=0x7fae2aa78c28) at ../zebra/zebra_dplane.c:855 FRRouting#4 dplane_ctx_fini (pctx=pctx@entry=0x7fae2aa88c98) at ../zebra/zebra_dplane.c:890 FRRouting#5 0x00007fae31e93f29 in fpm_read (t=) at ../zebra/dplane_fpm_nl.c:605 FRRouting#6 0x00007fae325191dd in thread_call (thread=thread@entry=0x7fae2aa98da0) at ../lib/thread.c:2006 FRRouting#7 0x00007fae324c42b8 in fpt_run (arg=0x555dd74777c0) at ../lib/frr_pthread.c:309 FRRouting#8 0x00007fae32405ea7 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0 FRRouting#9 0x00007fae32325a2f in clone () from /lib/x86_64-linux-gnu/libc.so.6 Fixes: FRRouting#13754 Signed-off-by: Carmine Scarpitta <[email protected]>
When `dplane_fpm_nl` receives a route, it allocates memory for a dplane context and calls `netlink_route_change_read_unicast_internal` without initializing the `intf_extra_list` contained in the dplane context. If `netlink_route_change_read_unicast_internal` is not able to process the route, we call `dplane_ctx_fini` to free the dplane context. This causes a crash because `dplane_ctx_fini` attempts to access the intf_extra_list which is not initialized. To solve this issue, we can call `dplane_ctx_route_init`to initialize the dplane route context properly, just after the dplane context allocation. (gdb) bt #0 0x0000555dd5ceae80 in dplane_intf_extra_list_pop (h=0x7fae1c007e68) at ../zebra/zebra_dplane.c:427 #1 dplane_ctx_free_internal (ctx=0x7fae1c0074b0) at ../zebra/zebra_dplane.c:724 FRRouting#2 0x0000555dd5cebc99 in dplane_ctx_free (pctx=0x7fae2aa88c98) at ../zebra/zebra_dplane.c:869 FRRouting#3 dplane_ctx_free (pctx=0x7fae2aa88c98, pctx@entry=0x7fae2aa78c28) at ../zebra/zebra_dplane.c:855 FRRouting#4 dplane_ctx_fini (pctx=pctx@entry=0x7fae2aa88c98) at ../zebra/zebra_dplane.c:890 FRRouting#5 0x00007fae31e93f29 in fpm_read (t=) at ../zebra/dplane_fpm_nl.c:605 FRRouting#6 0x00007fae325191dd in thread_call (thread=thread@entry=0x7fae2aa98da0) at ../lib/thread.c:2006 FRRouting#7 0x00007fae324c42b8 in fpt_run (arg=0x555dd74777c0) at ../lib/frr_pthread.c:309 FRRouting#8 0x00007fae32405ea7 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0 FRRouting#9 0x00007fae32325a2f in clone () from /lib/x86_64-linux-gnu/libc.so.6 Fixes: FRRouting#13754 Signed-off-by: Carmine Scarpitta <[email protected]>
…args ==13211==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000af158 at pc 0x55d48c5f1e38 bp 0x7fffd8a713d0 sp 0x7fffd8a713c0 READ of size 8 at 0x6020000af158 thread T0 #0 0x55d48c5f1e37 in rip_allow_ecmp ripd/rip_cli.c:98 #1 0x7f2ec125aa0f in cmd_execute_command_real lib/command.c:990 FRRouting#2 0x7f2ec125ae90 in cmd_execute_command lib/command.c:1049 FRRouting#3 0x7f2ec125b406 in cmd_execute lib/command.c:1217 FRRouting#4 0x7f2ec137ca36 in vty_command lib/vty.c:551 FRRouting#5 0x7f2ec137ce52 in vty_execute lib/vty.c:1314 FRRouting#6 0x7f2ec1384f9e in vtysh_read lib/vty.c:2223 FRRouting#7 0x7f2ec137041b in event_call lib/event.c:1995 FRRouting#8 0x7f2ec12b54bf in frr_run lib/libfrr.c:1204 FRRouting#9 0x55d48c5f0f32 in main ripd/rip_main.c:171 FRRouting#10 0x7f2ec0ad9c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) FRRouting#11 0x55d48c5f1349 in _start (/usr/lib/frr/ripd+0x3b349) 0x6020000af158 is located 0 bytes to the right of 8-byte region [0x6020000af150,0x6020000af158) allocated by thread T0 here: #0 0x7f2ec18ccb40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) #1 0x7f2ec12d2e41 in qmalloc lib/memory.c:100 FRRouting#2 0x7f2ec125a815 in cmd_execute_command_real lib/command.c:955 FRRouting#3 0x7f2ec125ae90 in cmd_execute_command lib/command.c:1049 FRRouting#4 0x7f2ec125b406 in cmd_execute lib/command.c:1217 FRRouting#5 0x7f2ec137ca36 in vty_command lib/vty.c:551 FRRouting#6 0x7f2ec137ce52 in vty_execute lib/vty.c:1314 FRRouting#7 0x7f2ec1384f9e in vtysh_read lib/vty.c:2223 FRRouting#8 0x7f2ec137041b in event_call lib/event.c:1995 FRRouting#9 0x7f2ec12b54bf in frr_run lib/libfrr.c:1204 FRRouting#10 0x55d48c5f0f32 in main ripd/rip_main.c:171 FRRouting#11 0x7f2ec0ad9c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) SUMMARY: AddressSanitizer: heap-buffer-overflow ripd/rip_cli.c:98 in rip_allow_ecmp Shadow bytes around the buggy address: 0x0c048000ddd0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa 0x0c048000dde0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd 0x0c048000ddf0: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd 0x0c048000de00: fa fa fd fa fa fa fd fd fa fa 00 03 fa fa fd fa 0x0c048000de10: fa fa fd fa fa fa 00 00 fa fa fd fa fa fa 00 03 =>0x0c048000de20: fa fa 00 03 fa fa fd fa fa fa 00[fa]fa fa fa fa 0x0c048000de30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c048000de40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c048000de50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c048000de60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c048000de70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==13211==ABORTING Signed-off-by: Donatas Abraitis <[email protected]>
This commit addresses a memory leak issue in the BGP Flowspec NLRI parsing function. Previously when processing NLRI, dynamically allocated memory to `temp` was not being freed, leading to a memory leak. The commit introduces the necessary code (XFREE) to properly free the temp memory after processing Flowspec NLRI. The ASan leak log for reference: ``` ./bgp_flowspec.test_bgp_flowspec_topo/r1.bgpd.asan.687689:Direct leak of 56 byte(s) in 2 object(s) allocated from: ./bgp_flowspec.test_bgp_flowspec_topo/r1.bgpd.asan.687689- #0 0x7fc9872b5037 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 ./bgp_flowspec.test_bgp_flowspec_topo/r1.bgpd.asan.687689- #1 0x7fc986e5b1ee in qcalloc lib/memory.c:105 ./bgp_flowspec.test_bgp_flowspec_topo/r1.bgpd.asan.687689- FRRouting#2 0x560421351bfe in bgp_nlri_parse_flowspec bgpd/bgp_flowspec.c:155 ./bgp_flowspec.test_bgp_flowspec_topo/r1.bgpd.asan.687689- FRRouting#3 0x56042107d01c in bgp_nlri_parse bgpd/bgp_packet.c:350 ./bgp_flowspec.test_bgp_flowspec_topo/r1.bgpd.asan.687689- FRRouting#4 0x560421086cf3 in bgp_update_receive bgpd/bgp_packet.c:2023 ./bgp_flowspec.test_bgp_flowspec_topo/r1.bgpd.asan.687689- FRRouting#5 0x56042108deed in bgp_process_packet bgpd/bgp_packet.c:2933 ./bgp_flowspec.test_bgp_flowspec_topo/r1.bgpd.asan.687689- FRRouting#6 0x7fc986f35bf7 in event_call lib/event.c:1995 ./bgp_flowspec.test_bgp_flowspec_topo/r1.bgpd.asan.687689- FRRouting#7 0x7fc986e1e99d in frr_run lib/libfrr.c:1185 ./bgp_flowspec.test_bgp_flowspec_topo/r1.bgpd.asan.687689- FRRouting#8 0x560420f3f59d in main bgpd/bgp_main.c:505 ./bgp_flowspec.test_bgp_flowspec_topo/r1.bgpd.asan.687689- FRRouting#9 0x7fc986805d09 in __libc_start_main ../csu/libc-start.c:308 ``` Signed-off-by: Keelan Cannoo <[email protected]>
When `dplane_fpm_nl` receives a route, it allocates memory for a dplane context and calls `netlink_route_change_read_unicast_internal` without initializing the `intf_extra_list` contained in the dplane context. If `netlink_route_change_read_unicast_internal` is not able to process the route, we call `dplane_ctx_fini` to free the dplane context. This causes a crash because `dplane_ctx_fini` attempts to access the intf_extra_list which is not initialized. To solve this issue, we can call `dplane_ctx_route_init`to initialize the dplane route context properly, just after the dplane context allocation. (gdb) bt #0 0x0000555dd5ceae80 in dplane_intf_extra_list_pop (h=0x7fae1c007e68) at ../zebra/zebra_dplane.c:427 #1 dplane_ctx_free_internal (ctx=0x7fae1c0074b0) at ../zebra/zebra_dplane.c:724 FRRouting#2 0x0000555dd5cebc99 in dplane_ctx_free (pctx=0x7fae2aa88c98) at ../zebra/zebra_dplane.c:869 FRRouting#3 dplane_ctx_free (pctx=0x7fae2aa88c98, pctx@entry=0x7fae2aa78c28) at ../zebra/zebra_dplane.c:855 FRRouting#4 dplane_ctx_fini (pctx=pctx@entry=0x7fae2aa88c98) at ../zebra/zebra_dplane.c:890 FRRouting#5 0x00007fae31e93f29 in fpm_read (t=) at ../zebra/dplane_fpm_nl.c:605 FRRouting#6 0x00007fae325191dd in thread_call (thread=thread@entry=0x7fae2aa98da0) at ../lib/thread.c:2006 FRRouting#7 0x00007fae324c42b8 in fpt_run (arg=0x555dd74777c0) at ../lib/frr_pthread.c:309 FRRouting#8 0x00007fae32405ea7 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0 FRRouting#9 0x00007fae32325a2f in clone () from /lib/x86_64-linux-gnu/libc.so.6 Fixes: FRRouting#13754 Signed-off-by: Carmine Scarpitta <[email protected]>
This commit ensures proper cleanup by deleting the gm_join_list when a PIM interface is deleted. The gm_join_list was previously not being freed, causing a memory leak. The ASan leak log for reference: ``` *********************************************************************************** Address Sanitizer Error detected in multicast_mld_join_topo1.test_multicast_mld_local_join/r1.asan.pim6d.28070 ================================================================= ==28070==ERROR: LeakSanitizer: detected memory leaks Direct leak of 40 byte(s) in 1 object(s) allocated from: #0 0x7f3605dbfd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x56230373dd6b in qcalloc lib/memory.c:105 FRRouting#2 0x56230372180f in list_new lib/linklist.c:49 FRRouting#3 0x56230361b589 in pim_if_gm_join_add pimd/pim_iface.c:1313 FRRouting#4 0x562303642247 in lib_interface_gmp_address_family_static_group_create pimd/pim_nb_config.c:2868 FRRouting#5 0x562303767280 in nb_callback_create lib/northbound.c:1235 FRRouting#6 0x562303767280 in nb_callback_configuration lib/northbound.c:1579 FRRouting#7 0x562303768a1d in nb_transaction_process lib/northbound.c:1710 FRRouting#8 0x56230376904a in nb_candidate_commit_apply lib/northbound.c:1104 FRRouting#9 0x5623037692ba in nb_candidate_commit lib/northbound.c:1137 FRRouting#10 0x562303769dec in nb_cli_classic_commit lib/northbound_cli.c:49 FRRouting#11 0x56230376fb79 in nb_cli_pending_commit_check lib/northbound_cli.c:88 FRRouting#12 0x5623036c5bcb in cmd_execute_command_real lib/command.c:991 FRRouting#13 0x5623036c5f1b in cmd_execute_command lib/command.c:1053 FRRouting#14 0x5623036c6392 in cmd_execute lib/command.c:1221 FRRouting#15 0x5623037e75da in vty_command lib/vty.c:591 FRRouting#16 0x5623037e7a74 in vty_execute lib/vty.c:1354 FRRouting#17 0x5623037f0253 in vtysh_read lib/vty.c:2362 FRRouting#18 0x5623037db4e8 in event_call lib/event.c:1995 FRRouting#19 0x562303720f97 in frr_run lib/libfrr.c:1213 FRRouting#20 0x56230368615d in main pimd/pim6_main.c:184 FRRouting#21 0x7f360461bc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 192 byte(s) in 4 object(s) allocated from: #0 0x7f3605dbfd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x56230373dd6b in qcalloc lib/memory.c:105 FRRouting#2 0x56230361b91d in gm_join_new pimd/pim_iface.c:1288 FRRouting#3 0x56230361b91d in pim_if_gm_join_add pimd/pim_iface.c:1326 FRRouting#4 0x562303642247 in lib_interface_gmp_address_family_static_group_create pimd/pim_nb_config.c:2868 FRRouting#5 0x562303767280 in nb_callback_create lib/northbound.c:1235 FRRouting#6 0x562303767280 in nb_callback_configuration lib/northbound.c:1579 FRRouting#7 0x562303768a1d in nb_transaction_process lib/northbound.c:1710 FRRouting#8 0x56230376904a in nb_candidate_commit_apply lib/northbound.c:1104 FRRouting#9 0x5623037692ba in nb_candidate_commit lib/northbound.c:1137 FRRouting#10 0x562303769dec in nb_cli_classic_commit lib/northbound_cli.c:49 FRRouting#11 0x56230376fb79 in nb_cli_pending_commit_check lib/northbound_cli.c:88 FRRouting#12 0x5623036c5bcb in cmd_execute_command_real lib/command.c:991 FRRouting#13 0x5623036c5f1b in cmd_execute_command lib/command.c:1053 FRRouting#14 0x5623036c6392 in cmd_execute lib/command.c:1221 FRRouting#15 0x5623037e75da in vty_command lib/vty.c:591 FRRouting#16 0x5623037e7a74 in vty_execute lib/vty.c:1354 FRRouting#17 0x5623037f0253 in vtysh_read lib/vty.c:2362 FRRouting#18 0x5623037db4e8 in event_call lib/event.c:1995 FRRouting#19 0x562303720f97 in frr_run lib/libfrr.c:1213 FRRouting#20 0x56230368615d in main pimd/pim6_main.c:184 FRRouting#21 0x7f360461bc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 96 byte(s) in 4 object(s) allocated from: #0 0x7f3605dbfd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x56230373dd6b in qcalloc lib/memory.c:105 FRRouting#2 0x562303721651 in listnode_new lib/linklist.c:71 FRRouting#3 0x56230372182b in listnode_add lib/linklist.c:92 FRRouting#4 0x56230361ba9a in gm_join_new pimd/pim_iface.c:1295 FRRouting#5 0x56230361ba9a in pim_if_gm_join_add pimd/pim_iface.c:1326 FRRouting#6 0x562303642247 in lib_interface_gmp_address_family_static_group_create pimd/pim_nb_config.c:2868 FRRouting#7 0x562303767280 in nb_callback_create lib/northbound.c:1235 FRRouting#8 0x562303767280 in nb_callback_configuration lib/northbound.c:1579 FRRouting#9 0x562303768a1d in nb_transaction_process lib/northbound.c:1710 FRRouting#10 0x56230376904a in nb_candidate_commit_apply lib/northbound.c:1104 FRRouting#11 0x5623037692ba in nb_candidate_commit lib/northbound.c:1137 FRRouting#12 0x562303769dec in nb_cli_classic_commit lib/northbound_cli.c:49 FRRouting#13 0x56230376fb79 in nb_cli_pending_commit_check lib/northbound_cli.c:88 FRRouting#14 0x5623036c5bcb in cmd_execute_command_real lib/command.c:991 FRRouting#15 0x5623036c5f1b in cmd_execute_command lib/command.c:1053 FRRouting#16 0x5623036c6392 in cmd_execute lib/command.c:1221 FRRouting#17 0x5623037e75da in vty_command lib/vty.c:591 FRRouting#18 0x5623037e7a74 in vty_execute lib/vty.c:1354 FRRouting#19 0x5623037f0253 in vtysh_read lib/vty.c:2362 FRRouting#20 0x5623037db4e8 in event_call lib/event.c:1995 FRRouting#21 0x562303720f97 in frr_run lib/libfrr.c:1213 FRRouting#22 0x56230368615d in main pimd/pim6_main.c:184 FRRouting#23 0x7f360461bc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 48 byte(s) in 1 object(s) allocated from: #0 0x7f3605dbfd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x56230373dd6b in qcalloc lib/memory.c:105 FRRouting#2 0x56230361b91d in gm_join_new pimd/pim_iface.c:1288 FRRouting#3 0x56230361b91d in pim_if_gm_join_add pimd/pim_iface.c:1326 FRRouting#4 0x562303642247 in lib_interface_gmp_address_family_static_group_create pimd/pim_nb_config.c:2868 FRRouting#5 0x562303767280 in nb_callback_create lib/northbound.c:1235 FRRouting#6 0x562303767280 in nb_callback_configuration lib/northbound.c:1579 FRRouting#7 0x562303768a1d in nb_transaction_process lib/northbound.c:1710 FRRouting#8 0x56230376904a in nb_candidate_commit_apply lib/northbound.c:1104 FRRouting#9 0x5623037692ba in nb_candidate_commit lib/northbound.c:1137 FRRouting#10 0x562303769dec in nb_cli_classic_commit lib/northbound_cli.c:49 FRRouting#11 0x56230376fb79 in nb_cli_pending_commit_check lib/northbound_cli.c:88 FRRouting#12 0x5623036c5bcb in cmd_execute_command_real lib/command.c:991 FRRouting#13 0x5623036c5f6f in cmd_execute_command lib/command.c:1072 FRRouting#14 0x5623036c6392 in cmd_execute lib/command.c:1221 FRRouting#15 0x5623037e75da in vty_command lib/vty.c:591 FRRouting#16 0x5623037e7a74 in vty_execute lib/vty.c:1354 FRRouting#17 0x5623037f0253 in vtysh_read lib/vty.c:2362 FRRouting#18 0x5623037db4e8 in event_call lib/event.c:1995 FRRouting#19 0x562303720f97 in frr_run lib/libfrr.c:1213 FRRouting#20 0x56230368615d in main pimd/pim6_main.c:184 FRRouting#21 0x7f360461bc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 24 byte(s) in 1 object(s) allocated from: #0 0x7f3605dbfd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x56230373dd6b in qcalloc lib/memory.c:105 FRRouting#2 0x562303721651 in listnode_new lib/linklist.c:71 FRRouting#3 0x56230372182b in listnode_add lib/linklist.c:92 FRRouting#4 0x56230361ba9a in gm_join_new pimd/pim_iface.c:1295 FRRouting#5 0x56230361ba9a in pim_if_gm_join_add pimd/pim_iface.c:1326 FRRouting#6 0x562303642247 in lib_interface_gmp_address_family_static_group_create pimd/pim_nb_config.c:2868 FRRouting#7 0x562303767280 in nb_callback_create lib/northbound.c:1235 FRRouting#8 0x562303767280 in nb_callback_configuration lib/northbound.c:1579 FRRouting#9 0x562303768a1d in nb_transaction_process lib/northbound.c:1710 FRRouting#10 0x56230376904a in nb_candidate_commit_apply lib/northbound.c:1104 FRRouting#11 0x5623037692ba in nb_candidate_commit lib/northbound.c:1137 FRRouting#12 0x562303769dec in nb_cli_classic_commit lib/northbound_cli.c:49 FRRouting#13 0x56230376fb79 in nb_cli_pending_commit_check lib/northbound_cli.c:88 FRRouting#14 0x5623036c5bcb in cmd_execute_command_real lib/command.c:991 FRRouting#15 0x5623036c5f6f in cmd_execute_command lib/command.c:1072 FRRouting#16 0x5623036c6392 in cmd_execute lib/command.c:1221 FRRouting#17 0x5623037e75da in vty_command lib/vty.c:591 FRRouting#18 0x5623037e7a74 in vty_execute lib/vty.c:1354 FRRouting#19 0x5623037f0253 in vtysh_read lib/vty.c:2362 FRRouting#20 0x5623037db4e8 in event_call lib/event.c:1995 FRRouting#21 0x562303720f97 in frr_run lib/libfrr.c:1213 FRRouting#22 0x56230368615d in main pimd/pim6_main.c:184 FRRouting#23 0x7f360461bc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) SUMMARY: AddressSanitizer: 400 byte(s) leaked in 11 allocation(s). *********************************************************************************** ``` Signed-off-by: Keelan Cannoo <[email protected]>
Memory leaks started flowing: ``` AddressSanitizer Topotests Part 0: 15 KB -> 283 KB AddressSanitizer Topotests Part 1: 1 KB -> 495 KB AddressSanitizer Topotests Part 2: 13 KB -> 478 KB AddressSanitizer Topotests Part 3: 39 KB -> 213 KB AddressSanitizer Topotests Part 4: 30 KB -> 836 KB AddressSanitizer Topotests Part 5: 0 bytes -> 356 KB AddressSanitizer Topotests Part 6: 86 KB -> 783 KB AddressSanitizer Topotests Part 7: 0 bytes -> 354 KB AddressSanitizer Topotests Part 8: 0 bytes -> 62 KB AddressSanitizer Topotests Part 9: 408 KB -> 518 KB ``` ``` Direct leak of 3584 byte(s) in 1 object(s) allocated from: #0 0x7f1957b02d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x559895c55df0 in qcalloc lib/memory.c:105 FRRouting#2 0x559895bc1cdf in zserv_client_create zebra/zserv.c:743 FRRouting#3 0x559895bc1cdf in zserv_accept zebra/zserv.c:880 FRRouting#4 0x559895cf3438 in event_call lib/event.c:1995 FRRouting#5 0x559895c3901c in frr_run lib/libfrr.c:1213 FRRouting#6 0x559895a698f1 in main zebra/main.c:472 FRRouting#7 0x7f195635ec86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) ``` Fixes b20acd0 ("bgpd: Use synchronous way to get labels from Zebra") Signed-off-by: Donatas Abraitis <[email protected]>
The loading_done event needs a event pointer to prevent use after free's. Testing found this: ERROR: AddressSanitizer: heap-use-after-free on address 0x613000035130 at pc 0x55ad42d54e5f bp 0x7ffff1e942a0 sp 0x7ffff1e94290 READ of size 1 at 0x613000035130 thread T0 #0 0x55ad42d54e5e in loading_done ospf6d/ospf6_neighbor.c:447 #1 0x55ad42ed7be4 in event_call lib/event.c:1995 FRRouting#2 0x55ad42e1df75 in frr_run lib/libfrr.c:1213 FRRouting#3 0x55ad42cf332e in main ospf6d/ospf6_main.c:250 FRRouting#4 0x7f5798133c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) FRRouting#5 0x55ad42cf2b19 in _start (/usr/lib/frr/ospf6d+0x248b19) 0x613000035130 is located 48 bytes inside of 384-byte region [0x613000035100,0x613000035280) freed by thread T0 here: #0 0x7f57998d77a8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8) #1 0x55ad42e3b4b6 in qfree lib/memory.c:130 FRRouting#2 0x55ad42d5d049 in ospf6_neighbor_delete ospf6d/ospf6_neighbor.c:180 FRRouting#3 0x55ad42d1e1ea in interface_down ospf6d/ospf6_interface.c:930 FRRouting#4 0x55ad42ed7be4 in event_call lib/event.c:1995 FRRouting#5 0x55ad42ed84fe in _event_execute lib/event.c:2086 FRRouting#6 0x55ad42d26d7b in ospf6_interface_clear ospf6d/ospf6_interface.c:2847 FRRouting#7 0x55ad42d73f16 in ospf6_process_reset ospf6d/ospf6_top.c:755 FRRouting#8 0x55ad42d7e98c in clear_router_ospf6_magic ospf6d/ospf6_top.c:778 FRRouting#9 0x55ad42d7e98c in clear_router_ospf6 ospf6d/ospf6_top_clippy.c:42 FRRouting#10 0x55ad42dc2665 in cmd_execute_command_real lib/command.c:994 FRRouting#11 0x55ad42dc2b32 in cmd_execute_command lib/command.c:1053 FRRouting#12 0x55ad42dc2fa9 in cmd_execute lib/command.c:1221 FRRouting#13 0x55ad42ee3cd6 in vty_command lib/vty.c:591 FRRouting#14 0x55ad42ee4170 in vty_execute lib/vty.c:1354 FRRouting#15 0x55ad42eec94f in vtysh_read lib/vty.c:2362 FRRouting#16 0x55ad42ed7be4 in event_call lib/event.c:1995 FRRouting#17 0x55ad42e1df75 in frr_run lib/libfrr.c:1213 FRRouting#18 0x55ad42cf332e in main ospf6d/ospf6_main.c:250 FRRouting#19 0x7f5798133c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) previously allocated by thread T0 here: #0 0x7f57998d7d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x55ad42e3ab22 in qcalloc lib/memory.c:105 FRRouting#2 0x55ad42d5c8ff in ospf6_neighbor_create ospf6d/ospf6_neighbor.c:119 FRRouting#3 0x55ad42d4c86a in ospf6_hello_recv ospf6d/ospf6_message.c:464 FRRouting#4 0x55ad42d4c86a in ospf6_read_helper ospf6d/ospf6_message.c:1884 FRRouting#5 0x55ad42d4c86a in ospf6_receive ospf6d/ospf6_message.c:1925 FRRouting#6 0x55ad42ed7be4 in event_call lib/event.c:1995 FRRouting#7 0x55ad42e1df75 in frr_run lib/libfrr.c:1213 FRRouting#8 0x55ad42cf332e in main ospf6d/ospf6_main.c:250 FRRouting#9 0x7f5798133c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Add an actual event pointer and just track it appropriately. Signed-off-by: Donald Sharp <[email protected]>
The function ospf6_router_lsa_contains_adj(), ospf6_gr_check_adjs() and ospf6_find_interf_prefix_lsa() iterate through LSDB and lock each LSA. During testing, it was discovered that the lock count did not reach zero upon termination. The stack trace below indicates the leak. To resolve this issue, it was found that unlocking the LSA before returning from the functions solves the problem. This suggests that there was a missing unlock that caused the lock count to remain nonzero. ================================================================= ==22565==ERROR: LeakSanitizer: detected memory leaks Direct leak of 400 byte(s) in 2 object(s) allocated from: #0 0x7fa744ccea37 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 #1 0x7fa744867562 in qcalloc ../lib/memory.c:105 FRRouting#2 0x555cdbb37506 in ospf6_lsa_alloc ../ospf6d/ospf6_lsa.c:710 FRRouting#3 0x555cdbb375d6 in ospf6_lsa_create ../ospf6d/ospf6_lsa.c:725 FRRouting#4 0x555cdbaf1008 in ospf6_receive_lsa ../ospf6d/ospf6_flood.c:912 FRRouting#5 0x555cdbb48ceb in ospf6_lsupdate_recv ../ospf6d/ospf6_message.c:1621 FRRouting#6 0x555cdbb4ac90 in ospf6_read_helper ../ospf6d/ospf6_message.c:1896 FRRouting#7 0x555cdbb4aecc in ospf6_receive ../ospf6d/ospf6_message.c:1925 FRRouting#8 0x7fa744950c33 in event_call ../lib/event.c:1995 FRRouting#9 0x7fa74483b34a in frr_run ../lib/libfrr.c:1213 FRRouting#10 0x555cdbacf1eb in main ../ospf6d/ospf6_main.c:250 FRRouting#11 0x7fa7443f9d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Objects leaked above: 0x6110000606c0 (200 bytes) 0x611000060940 (200 bytes) Indirect leak of 80 byte(s) in 2 object(s) allocated from: #0 0x7fa744cce867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 #1 0x7fa744867525 in qmalloc ../lib/memory.c:100 FRRouting#2 0x555cdbb37520 in ospf6_lsa_alloc ../ospf6d/ospf6_lsa.c:711 FRRouting#3 0x555cdbb375d6 in ospf6_lsa_create ../ospf6d/ospf6_lsa.c:725 FRRouting#4 0x555cdbaf1008 in ospf6_receive_lsa ../ospf6d/ospf6_flood.c:912 FRRouting#5 0x555cdbb48ceb in ospf6_lsupdate_recv ../ospf6d/ospf6_message.c:1621 FRRouting#6 0x555cdbb4ac90 in ospf6_read_helper ../ospf6d/ospf6_message.c:1896 FRRouting#7 0x555cdbb4aecc in ospf6_receive ../ospf6d/ospf6_message.c:1925 FRRouting#8 0x7fa744950c33 in event_call ../lib/event.c:1995 FRRouting#9 0x7fa74483b34a in frr_run ../lib/libfrr.c:1213 FRRouting#10 0x555cdbacf1eb in main ../ospf6d/ospf6_main.c:250 FRRouting#11 0x7fa7443f9d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Objects leaked above: 0x6040000325d0 (40 bytes) 0x604000032650 (40 bytes) SUMMARY: AddressSanitizer: 480 byte(s) leaked in 4 allocation(s). ================================================================= ==5483==ERROR: LeakSanitizer: detected memory leaks Direct leak of 2000 byte(s) in 10 object(s) allocated from: #0 0x7f2c3faeea37 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 #1 0x7f2c3f68a6d9 in qcalloc ../lib/memory.c:105 FRRouting#2 0x56431b83633d in ospf6_lsa_alloc ../ospf6d/ospf6_lsa.c:710 FRRouting#3 0x56431b83640d in ospf6_lsa_create ../ospf6d/ospf6_lsa.c:725 FRRouting#4 0x56431b7efe13 in ospf6_receive_lsa ../ospf6d/ospf6_flood.c:912 FRRouting#5 0x56431b847b31 in ospf6_lsupdate_recv ../ospf6d/ospf6_message.c:1621 FRRouting#6 0x56431b849ad6 in ospf6_read_helper ../ospf6d/ospf6_message.c:1896 FRRouting#7 0x56431b849d12 in ospf6_receive ../ospf6d/ospf6_message.c:1925 FRRouting#8 0x7f2c3f773c62 in event_call ../lib/event.c:1995 FRRouting#9 0x7f2c3f65e2de in frr_run ../lib/libfrr.c:1213 FRRouting#10 0x56431b7cdff6 in main ../ospf6d/ospf6_main.c:221 FRRouting#11 0x7f2c3f21dd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Objects leaked above: 0x611000060800 (200 bytes) 0x611000060a80 (200 bytes) 0x611000060d00 (200 bytes) 0x611000060f80 (200 bytes) 0x611000061200 (200 bytes) 0x611000061480 (200 bytes) 0x611000061840 (200 bytes) 0x611000061ac0 (200 bytes) 0x61100006c740 (200 bytes) 0x61100006d500 (200 bytes) Indirect leak of 460 byte(s) in 10 object(s) allocated from: #0 0x7f2c3faee867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 #1 0x7f2c3f68a69c in qmalloc ../lib/memory.c:100 FRRouting#2 0x56431b836357 in ospf6_lsa_alloc ../ospf6d/ospf6_lsa.c:711 FRRouting#3 0x56431b83640d in ospf6_lsa_create ../ospf6d/ospf6_lsa.c:725 FRRouting#4 0x56431b7efe13 in ospf6_receive_lsa ../ospf6d/ospf6_flood.c:912 FRRouting#5 0x56431b847b31 in ospf6_lsupdate_recv ../ospf6d/ospf6_message.c:1621 FRRouting#6 0x56431b849ad6 in ospf6_read_helper ../ospf6d/ospf6_message.c:1896 FRRouting#7 0x56431b849d12 in ospf6_receive ../ospf6d/ospf6_message.c:1925 FRRouting#8 0x7f2c3f773c62 in event_call ../lib/event.c:1995 FRRouting#9 0x7f2c3f65e2de in frr_run ../lib/libfrr.c:1213 FRRouting#10 0x56431b7cdff6 in main ../ospf6d/ospf6_main.c:221 FRRouting#11 0x7f2c3f21dd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Objects leaked above: 0x604000033110 (40 bytes) 0x604000033190 (40 bytes) 0x604000033210 (44 bytes) 0x604000033290 (44 bytes) 0x604000033310 (44 bytes) 0x604000033390 (44 bytes) 0x604000033410 (44 bytes) 0x604000033490 (44 bytes) 0x604000034c90 (44 bytes) 0x6070000d3830 (72 bytes) SUMMARY: AddressSanitizer: 2460 byte(s) leaked in 20 allocation(s). Signed-off-by: ryndia <[email protected]>
The bgp vpn policy had some attribute not free when the function bgp_free was called leading to memory leak as shown below. ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251:Direct leak of 592 byte(s) in 2 object(s) allocated from: ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- #0 0x7f4b7ae92037 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- #1 0x7f4b7aa96e38 in qcalloc lib/memory.c:105 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#2 0x7f4b7aa9bec9 in srv6_locator_chunk_alloc lib/srv6.c:135 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#3 0x56396f8e56f8 in ensure_vrf_tovpn_sid_per_af bgpd/bgp_mplsvpn.c:752 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#4 0x56396f8e608a in ensure_vrf_tovpn_sid bgpd/bgp_mplsvpn.c:846 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#5 0x56396f8e075d in vpn_leak_postchange bgpd/bgp_mplsvpn.h:259 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#6 0x56396f8f3e5b in vpn_leak_postchange_all bgpd/bgp_mplsvpn.c:3397 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#7 0x56396fa920ef in bgp_zebra_process_srv6_locator_chunk bgpd/bgp_zebra.c:3238 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#8 0x7f4b7abb2913 in zclient_read lib/zclient.c:4134 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#9 0x7f4b7ab62010 in thread_call lib/thread.c:1991 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#10 0x7f4b7aa5a418 in frr_run lib/libfrr.c:1185 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#11 0x56396f7d756d in main bgpd/bgp_main.c:505 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#12 0x7f4b7a479d09 in __libc_start_main ../csu/libc-start.c:308 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251:Direct leak of 32 byte(s) in 2 object(s) allocated from: ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- #0 0x7f4b7ae92037 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- #1 0x7f4b7aa96e38 in qcalloc lib/memory.c:105 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#2 0x56396f8e31b8 in vpn_leak_zebra_vrf_sid_update_per_af bgpd/bgp_mplsvpn.c:386 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#3 0x56396f8e3ae8 in vpn_leak_zebra_vrf_sid_update bgpd/bgp_mplsvpn.c:448 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#4 0x56396f8e09b0 in vpn_leak_postchange bgpd/bgp_mplsvpn.h:271 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#5 0x56396f8f3e5b in vpn_leak_postchange_all bgpd/bgp_mplsvpn.c:3397 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#6 0x56396fa920ef in bgp_zebra_process_srv6_locator_chunk bgpd/bgp_zebra.c:3238 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#7 0x7f4b7abb2913 in zclient_read lib/zclient.c:4134 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#8 0x7f4b7ab62010 in thread_call lib/thread.c:1991 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#9 0x7f4b7aa5a418 in frr_run lib/libfrr.c:1185 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#10 0x56396f7d756d in main bgpd/bgp_main.c:505 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#11 0x7f4b7a479d09 in __libc_start_main ../csu/libc-start.c:308 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251:Direct leak of 32 byte(s) in 2 object(s) allocated from: ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- #0 0x7f4b7ae92037 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- #1 0x7f4b7aa96e38 in qcalloc lib/memory.c:105 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#2 0x56396f8e5730 in ensure_vrf_tovpn_sid_per_af bgpd/bgp_mplsvpn.c:753 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#3 0x56396f8e608a in ensure_vrf_tovpn_sid bgpd/bgp_mplsvpn.c:846 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#4 0x56396f8e075d in vpn_leak_postchange bgpd/bgp_mplsvpn.h:259 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#5 0x56396f8f3e5b in vpn_leak_postchange_all bgpd/bgp_mplsvpn.c:3397 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#6 0x56396fa920ef in bgp_zebra_process_srv6_locator_chunk bgpd/bgp_zebra.c:3238 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#7 0x7f4b7abb2913 in zclient_read lib/zclient.c:4134 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#8 0x7f4b7ab62010 in thread_call lib/thread.c:1991 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#9 0x7f4b7aa5a418 in frr_run lib/libfrr.c:1185 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#10 0x56396f7d756d in main bgpd/bgp_main.c:505 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#11 0x7f4b7a479d09 in __libc_start_main ../csu/libc-start.c:308 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251-SUMMARY: AddressSanitizer: 656 byte(s) leaked in 6 allocation(s). Signed-off-by: ryndia <[email protected]>
The `bgp_vrf->vrf_prd_pretty` string was not properly freed, leading to a memory leak. This commit resolves the memory leak by freeing the memory allocated for `bgp_vrf->vrf_prd_pretty` before returning from the function. The ASan leak log for reference: ``` *********************************************************************************** Address Sanitizer Error detected in evpn_type5_test_topo1.test_evpn_type5_topo1/e1.asan.bgpd.17689 ================================================================= ==17689==ERROR: LeakSanitizer: detected memory leaks Direct leak of 15 byte(s) in 1 object(s) allocated from: #0 0x7fdd94fc0538 in strdup (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x77538) #1 0x55e28d9c4c6c in qstrdup lib/memory.c:117 FRRouting#2 0x55e28d6c0d27 in evpn_configure_vrf_rd bgpd/bgp_evpn_vty.c:2297 FRRouting#3 0x55e28d6c0d27 in bgp_evpn_vrf_rd bgpd/bgp_evpn_vty.c:6271 FRRouting#4 0x55e28d94c155 in cmd_execute_command_real lib/command.c:994 FRRouting#5 0x55e28d94c622 in cmd_execute_command lib/command.c:1053 FRRouting#6 0x55e28d94ca99 in cmd_execute lib/command.c:1221 FRRouting#7 0x55e28da6d7d4 in vty_command lib/vty.c:591 FRRouting#8 0x55e28da6dc6e in vty_execute lib/vty.c:1354 FRRouting#9 0x55e28da7644d in vtysh_read lib/vty.c:2362 FRRouting#10 0x55e28da616e2 in event_call lib/event.c:1995 FRRouting#11 0x55e28d9a7a65 in frr_run lib/libfrr.c:1213 FRRouting#12 0x55e28d63ef00 in main bgpd/bgp_main.c:505 FRRouting#13 0x7fdd93883c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) SUMMARY: AddressSanitizer: 15 byte(s) leaked in 1 allocation(s). *********************************************************************************** ``` Signed-off-by: Keelan Cannoo <[email protected]>
The function ospf6_router_lsa_contains_adj(), ospf6_gr_check_adjs() and ospf6_find_interf_prefix_lsa() iterate through LSDB and lock each LSA. During testing, it was discovered that the lock count did not reach zero upon termination. The stack trace below indicates the leak. To resolve this issue, it was found that unlocking the LSA before returning from the functions solves the problem. This suggests that there was a missing unlock that caused the lock count to remain nonzero. ================================================================= ==22565==ERROR: LeakSanitizer: detected memory leaks Direct leak of 400 byte(s) in 2 object(s) allocated from: #0 0x7fa744ccea37 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 #1 0x7fa744867562 in qcalloc ../lib/memory.c:105 FRRouting#2 0x555cdbb37506 in ospf6_lsa_alloc ../ospf6d/ospf6_lsa.c:710 FRRouting#3 0x555cdbb375d6 in ospf6_lsa_create ../ospf6d/ospf6_lsa.c:725 FRRouting#4 0x555cdbaf1008 in ospf6_receive_lsa ../ospf6d/ospf6_flood.c:912 FRRouting#5 0x555cdbb48ceb in ospf6_lsupdate_recv ../ospf6d/ospf6_message.c:1621 FRRouting#6 0x555cdbb4ac90 in ospf6_read_helper ../ospf6d/ospf6_message.c:1896 FRRouting#7 0x555cdbb4aecc in ospf6_receive ../ospf6d/ospf6_message.c:1925 FRRouting#8 0x7fa744950c33 in event_call ../lib/event.c:1995 FRRouting#9 0x7fa74483b34a in frr_run ../lib/libfrr.c:1213 FRRouting#10 0x555cdbacf1eb in main ../ospf6d/ospf6_main.c:250 FRRouting#11 0x7fa7443f9d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Objects leaked above: 0x6110000606c0 (200 bytes) 0x611000060940 (200 bytes) Indirect leak of 80 byte(s) in 2 object(s) allocated from: #0 0x7fa744cce867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 #1 0x7fa744867525 in qmalloc ../lib/memory.c:100 FRRouting#2 0x555cdbb37520 in ospf6_lsa_alloc ../ospf6d/ospf6_lsa.c:711 FRRouting#3 0x555cdbb375d6 in ospf6_lsa_create ../ospf6d/ospf6_lsa.c:725 FRRouting#4 0x555cdbaf1008 in ospf6_receive_lsa ../ospf6d/ospf6_flood.c:912 FRRouting#5 0x555cdbb48ceb in ospf6_lsupdate_recv ../ospf6d/ospf6_message.c:1621 FRRouting#6 0x555cdbb4ac90 in ospf6_read_helper ../ospf6d/ospf6_message.c:1896 FRRouting#7 0x555cdbb4aecc in ospf6_receive ../ospf6d/ospf6_message.c:1925 FRRouting#8 0x7fa744950c33 in event_call ../lib/event.c:1995 FRRouting#9 0x7fa74483b34a in frr_run ../lib/libfrr.c:1213 FRRouting#10 0x555cdbacf1eb in main ../ospf6d/ospf6_main.c:250 FRRouting#11 0x7fa7443f9d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Objects leaked above: 0x6040000325d0 (40 bytes) 0x604000032650 (40 bytes) SUMMARY: AddressSanitizer: 480 byte(s) leaked in 4 allocation(s). ================================================================= ==5483==ERROR: LeakSanitizer: detected memory leaks Direct leak of 2000 byte(s) in 10 object(s) allocated from: #0 0x7f2c3faeea37 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 #1 0x7f2c3f68a6d9 in qcalloc ../lib/memory.c:105 FRRouting#2 0x56431b83633d in ospf6_lsa_alloc ../ospf6d/ospf6_lsa.c:710 FRRouting#3 0x56431b83640d in ospf6_lsa_create ../ospf6d/ospf6_lsa.c:725 FRRouting#4 0x56431b7efe13 in ospf6_receive_lsa ../ospf6d/ospf6_flood.c:912 FRRouting#5 0x56431b847b31 in ospf6_lsupdate_recv ../ospf6d/ospf6_message.c:1621 FRRouting#6 0x56431b849ad6 in ospf6_read_helper ../ospf6d/ospf6_message.c:1896 FRRouting#7 0x56431b849d12 in ospf6_receive ../ospf6d/ospf6_message.c:1925 FRRouting#8 0x7f2c3f773c62 in event_call ../lib/event.c:1995 FRRouting#9 0x7f2c3f65e2de in frr_run ../lib/libfrr.c:1213 FRRouting#10 0x56431b7cdff6 in main ../ospf6d/ospf6_main.c:221 FRRouting#11 0x7f2c3f21dd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Objects leaked above: 0x611000060800 (200 bytes) 0x611000060a80 (200 bytes) 0x611000060d00 (200 bytes) 0x611000060f80 (200 bytes) 0x611000061200 (200 bytes) 0x611000061480 (200 bytes) 0x611000061840 (200 bytes) 0x611000061ac0 (200 bytes) 0x61100006c740 (200 bytes) 0x61100006d500 (200 bytes) Indirect leak of 460 byte(s) in 10 object(s) allocated from: #0 0x7f2c3faee867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 #1 0x7f2c3f68a69c in qmalloc ../lib/memory.c:100 FRRouting#2 0x56431b836357 in ospf6_lsa_alloc ../ospf6d/ospf6_lsa.c:711 FRRouting#3 0x56431b83640d in ospf6_lsa_create ../ospf6d/ospf6_lsa.c:725 FRRouting#4 0x56431b7efe13 in ospf6_receive_lsa ../ospf6d/ospf6_flood.c:912 FRRouting#5 0x56431b847b31 in ospf6_lsupdate_recv ../ospf6d/ospf6_message.c:1621 FRRouting#6 0x56431b849ad6 in ospf6_read_helper ../ospf6d/ospf6_message.c:1896 FRRouting#7 0x56431b849d12 in ospf6_receive ../ospf6d/ospf6_message.c:1925 FRRouting#8 0x7f2c3f773c62 in event_call ../lib/event.c:1995 FRRouting#9 0x7f2c3f65e2de in frr_run ../lib/libfrr.c:1213 FRRouting#10 0x56431b7cdff6 in main ../ospf6d/ospf6_main.c:221 FRRouting#11 0x7f2c3f21dd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Objects leaked above: 0x604000033110 (40 bytes) 0x604000033190 (40 bytes) 0x604000033210 (44 bytes) 0x604000033290 (44 bytes) 0x604000033310 (44 bytes) 0x604000033390 (44 bytes) 0x604000033410 (44 bytes) 0x604000033490 (44 bytes) 0x604000034c90 (44 bytes) 0x6070000d3830 (72 bytes) SUMMARY: AddressSanitizer: 2460 byte(s) leaked in 20 allocation(s). Signed-off-by: ryndia <[email protected]> (cherry picked from commit b3420b1)
When `dplane_fpm_nl` receives a route, it allocates memory for a dplane context and calls `netlink_route_change_read_unicast_internal` without initializing the `intf_extra_list` contained in the dplane context. If `netlink_route_change_read_unicast_internal` is not able to process the route, we call `dplane_ctx_fini` to free the dplane context. This causes a crash because `dplane_ctx_fini` attempts to access the intf_extra_list which is not initialized. To solve this issue, we can call `dplane_ctx_route_init`to initialize the dplane route context properly, just after the dplane context allocation. (gdb) bt #0 0x0000555dd5ceae80 in dplane_intf_extra_list_pop (h=0x7fae1c007e68) at ../zebra/zebra_dplane.c:427 #1 dplane_ctx_free_internal (ctx=0x7fae1c0074b0) at ../zebra/zebra_dplane.c:724 FRRouting#2 0x0000555dd5cebc99 in dplane_ctx_free (pctx=0x7fae2aa88c98) at ../zebra/zebra_dplane.c:869 FRRouting#3 dplane_ctx_free (pctx=0x7fae2aa88c98, pctx@entry=0x7fae2aa78c28) at ../zebra/zebra_dplane.c:855 FRRouting#4 dplane_ctx_fini (pctx=pctx@entry=0x7fae2aa88c98) at ../zebra/zebra_dplane.c:890 FRRouting#5 0x00007fae31e93f29 in fpm_read (t=) at ../zebra/dplane_fpm_nl.c:605 FRRouting#6 0x00007fae325191dd in thread_call (thread=thread@entry=0x7fae2aa98da0) at ../lib/thread.c:2006 FRRouting#7 0x00007fae324c42b8 in fpt_run (arg=0x555dd74777c0) at ../lib/frr_pthread.c:309 FRRouting#8 0x00007fae32405ea7 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0 FRRouting#9 0x00007fae32325a2f in clone () from /lib/x86_64-linux-gnu/libc.so.6 Fixes: FRRouting#13754 Signed-off-by: Carmine Scarpitta <[email protected]> (cherry picked from commit 7f2dec4)
The bgp vpn policy had some attribute not free when the function bgp_free was called leading to memory leak as shown below. ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251:Direct leak of 592 byte(s) in 2 object(s) allocated from: ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- #0 0x7f4b7ae92037 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- #1 0x7f4b7aa96e38 in qcalloc lib/memory.c:105 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#2 0x7f4b7aa9bec9 in srv6_locator_chunk_alloc lib/srv6.c:135 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#3 0x56396f8e56f8 in ensure_vrf_tovpn_sid_per_af bgpd/bgp_mplsvpn.c:752 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#4 0x56396f8e608a in ensure_vrf_tovpn_sid bgpd/bgp_mplsvpn.c:846 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#5 0x56396f8e075d in vpn_leak_postchange bgpd/bgp_mplsvpn.h:259 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#6 0x56396f8f3e5b in vpn_leak_postchange_all bgpd/bgp_mplsvpn.c:3397 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#7 0x56396fa920ef in bgp_zebra_process_srv6_locator_chunk bgpd/bgp_zebra.c:3238 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#8 0x7f4b7abb2913 in zclient_read lib/zclient.c:4134 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#9 0x7f4b7ab62010 in thread_call lib/thread.c:1991 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#10 0x7f4b7aa5a418 in frr_run lib/libfrr.c:1185 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#11 0x56396f7d756d in main bgpd/bgp_main.c:505 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#12 0x7f4b7a479d09 in __libc_start_main ../csu/libc-start.c:308 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251:Direct leak of 32 byte(s) in 2 object(s) allocated from: ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- #0 0x7f4b7ae92037 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- #1 0x7f4b7aa96e38 in qcalloc lib/memory.c:105 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#2 0x56396f8e31b8 in vpn_leak_zebra_vrf_sid_update_per_af bgpd/bgp_mplsvpn.c:386 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#3 0x56396f8e3ae8 in vpn_leak_zebra_vrf_sid_update bgpd/bgp_mplsvpn.c:448 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#4 0x56396f8e09b0 in vpn_leak_postchange bgpd/bgp_mplsvpn.h:271 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#5 0x56396f8f3e5b in vpn_leak_postchange_all bgpd/bgp_mplsvpn.c:3397 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#6 0x56396fa920ef in bgp_zebra_process_srv6_locator_chunk bgpd/bgp_zebra.c:3238 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#7 0x7f4b7abb2913 in zclient_read lib/zclient.c:4134 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#8 0x7f4b7ab62010 in thread_call lib/thread.c:1991 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#9 0x7f4b7aa5a418 in frr_run lib/libfrr.c:1185 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#10 0x56396f7d756d in main bgpd/bgp_main.c:505 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#11 0x7f4b7a479d09 in __libc_start_main ../csu/libc-start.c:308 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251:Direct leak of 32 byte(s) in 2 object(s) allocated from: ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- #0 0x7f4b7ae92037 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- #1 0x7f4b7aa96e38 in qcalloc lib/memory.c:105 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#2 0x56396f8e5730 in ensure_vrf_tovpn_sid_per_af bgpd/bgp_mplsvpn.c:753 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#3 0x56396f8e608a in ensure_vrf_tovpn_sid bgpd/bgp_mplsvpn.c:846 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#4 0x56396f8e075d in vpn_leak_postchange bgpd/bgp_mplsvpn.h:259 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#5 0x56396f8f3e5b in vpn_leak_postchange_all bgpd/bgp_mplsvpn.c:3397 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#6 0x56396fa920ef in bgp_zebra_process_srv6_locator_chunk bgpd/bgp_zebra.c:3238 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#7 0x7f4b7abb2913 in zclient_read lib/zclient.c:4134 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#8 0x7f4b7ab62010 in thread_call lib/thread.c:1991 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#9 0x7f4b7aa5a418 in frr_run lib/libfrr.c:1185 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#10 0x56396f7d756d in main bgpd/bgp_main.c:505 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- FRRouting#11 0x7f4b7a479d09 in __libc_start_main ../csu/libc-start.c:308 ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251- ./bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.bgpd.asan.603251-SUMMARY: AddressSanitizer: 656 byte(s) leaked in 6 allocation(s). Signed-off-by: ryndia <[email protected]> Signed-off-by: Donatas Abraitis <[email protected]>
This commit frees dynamically allocated memory associated with `pbrms->nhgrp_name` and `pbrms->dst` which were causing memory leaks. The ASan leak log for reference: ``` ================================================================= ==107458==ERROR: LeakSanitizer: detected memory leaks Direct leak of 56 byte(s) in 1 object(s) allocated from: #0 0x7f87d644ca37 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 #1 0x7f87d5feaa37 in qcalloc ../lib/memory.c:105 FRRouting#2 0x7f87d6054ffd in prefix_new ../lib/prefix.c:1180 FRRouting#3 0x55722f3c2885 in pbr_map_match_dst_magic ../pbrd/pbr_vty.c:302 FRRouting#4 0x55722f3b5c24 in pbr_map_match_dst pbrd/pbr_vty_clippy.c:228 FRRouting#5 0x7f87d5f32d61 in cmd_execute_command_real ../lib/command.c:993 FRRouting#6 0x7f87d5f330ee in cmd_execute_command ../lib/command.c:1052 FRRouting#7 0x7f87d5f33dc0 in cmd_execute ../lib/command.c:1218 FRRouting#8 0x7f87d60e4177 in vty_command ../lib/vty.c:591 FRRouting#9 0x7f87d60e905c in vty_execute ../lib/vty.c:1354 FRRouting#10 0x7f87d60ef45a in vtysh_read ../lib/vty.c:2362 FRRouting#11 0x7f87d60d42d4 in event_call ../lib/event.c:1979 FRRouting#12 0x7f87d5fbe828 in frr_run ../lib/libfrr.c:1213 FRRouting#13 0x55722f3ac795 in main ../pbrd/pbr_main.c:168 FRRouting#14 0x7f87d5b82d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Direct leak of 2 byte(s) in 1 object(s) allocated from: #0 0x7f87d63f39a7 in __interceptor_strdup ../../../../src/libsanitizer/asan/asan_interceptors.cpp:454 #1 0x7f87d5feaafc in qstrdup ../lib/memory.c:117 FRRouting#2 0x55722f3da139 in pbr_nht_set_seq_nhg ../pbrd/pbr_nht.c:551 FRRouting#3 0x55722f3c693f in pbr_map_nexthop_group_magic ../pbrd/pbr_vty.c:1140 FRRouting#4 0x55722f3bdaae in pbr_map_nexthop_group pbrd/pbr_vty_clippy.c:1284 FRRouting#5 0x7f87d5f32d61 in cmd_execute_command_real ../lib/command.c:993 FRRouting#6 0x7f87d5f330ee in cmd_execute_command ../lib/command.c:1052 FRRouting#7 0x7f87d5f33dc0 in cmd_execute ../lib/command.c:1218 FRRouting#8 0x7f87d60e4177 in vty_command ../lib/vty.c:591 FRRouting#9 0x7f87d60e905c in vty_execute ../lib/vty.c:1354 FRRouting#10 0x7f87d60ef45a in vtysh_read ../lib/vty.c:2362 FRRouting#11 0x7f87d60d42d4 in event_call ../lib/event.c:1979 FRRouting#12 0x7f87d5fbe828 in frr_run ../lib/libfrr.c:1213 FRRouting#13 0x55722f3ac795 in main ../pbrd/pbr_main.c:168 FRRouting#14 0x7f87d5b82d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 SUMMARY: AddressSanitizer: 58 byte(s) leaked in 2 allocation(s). ``` Signed-off-by: Keelan Cannoo <[email protected]> (cherry picked from commit 0214fb7)
`ng` was not properly freed, leading to a memory leak. The commit calls `nexthop_group_delete` to free memory associated with `ng`. The ASan leak log for reference: ``` *********************************************************************************** Address Sanitizer Error detected in isis_topo1.test_isis_topo1/r5.asan.zebra.24308 ================================================================= ==24308==ERROR: LeakSanitizer: detected memory leaks Direct leak of 32 byte(s) in 1 object(s) allocated from: #0 0x7f4f47b43d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x7f4f4753c0a8 in qcalloc lib/memory.c:105 FRRouting#2 0x7f4f47559526 in nexthop_group_new lib/nexthop_group.c:270 FRRouting#3 0x562ded6a39d4 in zebra_add_import_table_entry zebra/redistribute.c:681 FRRouting#4 0x562ded787c35 in rib_link zebra/zebra_rib.c:3972 FRRouting#5 0x562ded787c35 in rib_addnode zebra/zebra_rib.c:3993 FRRouting#6 0x562ded787c35 in process_subq_early_route_add zebra/zebra_rib.c:2860 FRRouting#7 0x562ded787c35 in process_subq_early_route zebra/zebra_rib.c:3138 FRRouting#8 0x562ded787c35 in process_subq zebra/zebra_rib.c:3178 FRRouting#9 0x562ded787c35 in meta_queue_process zebra/zebra_rib.c:3228 FRRouting#10 0x7f4f475f7118 in work_queue_run lib/workqueue.c:266 FRRouting#11 0x7f4f475dc7f2 in event_call lib/event.c:1969 FRRouting#12 0x7f4f4751f347 in frr_run lib/libfrr.c:1213 FRRouting#13 0x562ded69e818 in main zebra/main.c:486 FRRouting#14 0x7f4f468ffc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 152 byte(s) in 1 object(s) allocated from: #0 0x7f4f47b43d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x7f4f4753c0a8 in qcalloc lib/memory.c:105 FRRouting#2 0x7f4f475510ad in nexthop_new lib/nexthop.c:376 FRRouting#3 0x7f4f475539c5 in nexthop_dup lib/nexthop.c:914 FRRouting#4 0x7f4f4755b27a in copy_nexthops lib/nexthop_group.c:444 FRRouting#5 0x562ded6a3a1c in zebra_add_import_table_entry zebra/redistribute.c:682 FRRouting#6 0x562ded787c35 in rib_link zebra/zebra_rib.c:3972 FRRouting#7 0x562ded787c35 in rib_addnode zebra/zebra_rib.c:3993 FRRouting#8 0x562ded787c35 in process_subq_early_route_add zebra/zebra_rib.c:2860 FRRouting#9 0x562ded787c35 in process_subq_early_route zebra/zebra_rib.c:3138 FRRouting#10 0x562ded787c35 in process_subq zebra/zebra_rib.c:3178 FRRouting#11 0x562ded787c35 in meta_queue_process zebra/zebra_rib.c:3228 FRRouting#12 0x7f4f475f7118 in work_queue_run lib/workqueue.c:266 FRRouting#13 0x7f4f475dc7f2 in event_call lib/event.c:1969 FRRouting#14 0x7f4f4751f347 in frr_run lib/libfrr.c:1213 FRRouting#15 0x562ded69e818 in main zebra/main.c:486 FRRouting#16 0x7f4f468ffc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) SUMMARY: AddressSanitizer: 184 byte(s) leaked in 2 allocation(s). *********************************************************************************** ``` Signed-off-by: Keelan Cannoo <[email protected]> (cherry picked from commit 92598cb)
The shallow copy of attr wasn't freed when there was no valid label for the momentand the function return therefore creating leaks. The leak below are solved by flushing the shallow copy of attr. Address Sanitizer Error detected in bgp_vpnv6_per_nexthop_label.test_bgp_vpnv6_per_nexthop_label/r1.asan.bgpd.13409 ================================================================= ==13409==ERROR: LeakSanitizer: detected memory leaks Direct leak of 280 byte(s) in 7 object(s) allocated from: #0 0x7f62cd0c9d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x7f62ccac21c3 in qcalloc lib/memory.c:105 FRRouting#2 0x5623b8810dc8 in ecommunity_dup bgpd/bgp_ecommunity.c:252 FRRouting#3 0x5623b88be8eb in vpn_leak_from_vrf_update bgpd/bgp_mplsvpn.c:1628 FRRouting#4 0x5623b88c13b3 in vpn_leak_from_vrf_update_all bgpd/bgp_mplsvpn.c:2005 FRRouting#5 0x5623b89beabc in vpn_leak_postchange bgpd/bgp_mplsvpn.h:287 FRRouting#6 0x5623b89beabc in af_label_vpn_export_allocation_mode_magic bgpd/bgp_vty.c:9464 FRRouting#7 0x5623b89beabc in af_label_vpn_export_allocation_mode bgpd/bgp_vty_clippy.c:2809 FRRouting#8 0x7f62cca45511 in cmd_execute_command_real lib/command.c:978 FRRouting#9 0x7f62cca459d5 in cmd_execute_command lib/command.c:1036 FRRouting#10 0x7f62cca45e54 in cmd_execute lib/command.c:1203 FRRouting#11 0x7f62ccb6ee20 in vty_command lib/vty.c:591 FRRouting#12 0x7f62ccb6f2cb in vty_execute lib/vty.c:1354 FRRouting#13 0x7f62ccb77b95 in vtysh_read lib/vty.c:2362 FRRouting#14 0x7f62ccb62b8f in event_call lib/event.c:1969 FRRouting#15 0x7f62ccaa5462 in frr_run lib/libfrr.c:1213 FRRouting#16 0x5623b87e054b in main bgpd/bgp_main.c:510 FRRouting#17 0x7f62cbae7c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Direct leak of 280 byte(s) in 7 object(s) allocated from: #0 0x7f62cd0c9d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x7f62ccac21c3 in qcalloc lib/memory.c:105 FRRouting#2 0x5623b8810dc8 in ecommunity_dup bgpd/bgp_ecommunity.c:252 FRRouting#3 0x5623b88be8eb in vpn_leak_from_vrf_update bgpd/bgp_mplsvpn.c:1628 FRRouting#4 0x5623b892e86d in bgp_update bgpd/bgp_route.c:4969 FRRouting#5 0x5623b893134d in bgp_nlri_parse_ip bgpd/bgp_route.c:6213 FRRouting#6 0x5623b88e2a0e in bgp_nlri_parse bgpd/bgp_packet.c:341 FRRouting#7 0x5623b88e4f7c in bgp_update_receive bgpd/bgp_packet.c:2220 FRRouting#8 0x5623b88f0474 in bgp_process_packet bgpd/bgp_packet.c:3386 FRRouting#9 0x7f62ccb62b8f in event_call lib/event.c:1969 FRRouting#10 0x7f62ccaa5462 in frr_run lib/libfrr.c:1213 FRRouting#11 0x5623b87e054b in main bgpd/bgp_main.c:510 FRRouting#12 0x7f62cbae7c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Direct leak of 280 byte(s) in 7 object(s) allocated from: #0 0x7f62cd0c9d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x7f62ccac21c3 in qcalloc lib/memory.c:105 FRRouting#2 0x5623b8810dc8 in ecommunity_dup bgpd/bgp_ecommunity.c:252 FRRouting#3 0x5623b88be8eb in vpn_leak_from_vrf_update bgpd/bgp_mplsvpn.c:1628 FRRouting#4 0x5623b88c13b3 in vpn_leak_from_vrf_update_all bgpd/bgp_mplsvpn.c:2005 FRRouting#5 0x5623b89bdebb in vpn_leak_postchange bgpd/bgp_mplsvpn.h:287 FRRouting#6 0x5623b89bdebb in af_label_vpn_export_magic bgpd/bgp_vty.c:9547 FRRouting#7 0x5623b89bdebb in af_label_vpn_export bgpd/bgp_vty_clippy.c:2868 FRRouting#8 0x7f62cca45511 in cmd_execute_command_real lib/command.c:978 FRRouting#9 0x7f62cca459d5 in cmd_execute_command lib/command.c:1036 FRRouting#10 0x7f62cca45e54 in cmd_execute lib/command.c:1203 FRRouting#11 0x7f62ccb6ee20 in vty_command lib/vty.c:591 FRRouting#12 0x7f62ccb6f2cb in vty_execute lib/vty.c:1354 FRRouting#13 0x7f62ccb77b95 in vtysh_read lib/vty.c:2362 FRRouting#14 0x7f62ccb62b8f in event_call lib/event.c:1969 FRRouting#15 0x7f62ccaa5462 in frr_run lib/libfrr.c:1213 FRRouting#16 0x5623b87e054b in main bgpd/bgp_main.c:510 FRRouting#17 0x7f62cbae7c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Direct leak of 240 byte(s) in 6 object(s) allocated from: #0 0x7f62cd0c9d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x7f62ccac21c3 in qcalloc lib/memory.c:105 FRRouting#2 0x5623b8810dc8 in ecommunity_dup bgpd/bgp_ecommunity.c:252 FRRouting#3 0x5623b88be8eb in vpn_leak_from_vrf_update bgpd/bgp_mplsvpn.c:1628 FRRouting#4 0x5623b88dc289 in evaluate_paths bgpd/bgp_nht.c:1384 FRRouting#5 0x5623b88ddb0b in bgp_process_nexthop_update bgpd/bgp_nht.c:733 FRRouting#6 0x5623b88de027 in bgp_parse_nexthop_update bgpd/bgp_nht.c:934 FRRouting#7 0x5623b8a03163 in bgp_read_nexthop_update bgpd/bgp_zebra.c:104 FRRouting#8 0x7f62ccb92d8a in zclient_read lib/zclient.c:4425 FRRouting#9 0x7f62ccb62b8f in event_call lib/event.c:1969 FRRouting#10 0x7f62ccaa5462 in frr_run lib/libfrr.c:1213 FRRouting#11 0x5623b87e054b in main bgpd/bgp_main.c:510 FRRouting#12 0x7f62cbae7c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Direct leak of 120 byte(s) in 3 object(s) allocated from: #0 0x7f62cd0c9d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x7f62ccac21c3 in qcalloc lib/memory.c:105 FRRouting#2 0x5623b8810dc8 in ecommunity_dup bgpd/bgp_ecommunity.c:252 FRRouting#3 0x5623b88be8eb in vpn_leak_from_vrf_update bgpd/bgp_mplsvpn.c:1628 FRRouting#4 0x5623b893a406 in bgp_redistribute_add bgpd/bgp_route.c:8692 FRRouting#5 0x5623b8a02b3b in zebra_read_route bgpd/bgp_zebra.c:595 FRRouting#6 0x7f62ccb92d8a in zclient_read lib/zclient.c:4425 FRRouting#7 0x7f62ccb62b8f in event_call lib/event.c:1969 FRRouting#8 0x7f62ccaa5462 in frr_run lib/libfrr.c:1213 FRRouting#9 0x5623b87e054b in main bgpd/bgp_main.c:510 FRRouting#10 0x7f62cbae7c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Direct leak of 80 byte(s) in 2 object(s) allocated from: #0 0x7f62cd0c9d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x7f62ccac21c3 in qcalloc lib/memory.c:105 FRRouting#2 0x5623b8810dc8 in ecommunity_dup bgpd/bgp_ecommunity.c:252 FRRouting#3 0x5623b88be8eb in vpn_leak_from_vrf_update bgpd/bgp_mplsvpn.c:1628 FRRouting#4 0x5623b88dc188 in evaluate_paths bgpd/bgp_nht.c:1348 FRRouting#5 0x5623b88ddb0b in bgp_process_nexthop_update bgpd/bgp_nht.c:733 FRRouting#6 0x5623b88de027 in bgp_parse_nexthop_update bgpd/bgp_nht.c:934 FRRouting#7 0x5623b8a03163 in bgp_read_nexthop_update bgpd/bgp_zebra.c:104 FRRouting#8 0x7f62ccb92d8a in zclient_read lib/zclient.c:4425 FRRouting#9 0x7f62ccb62b8f in event_call lib/event.c:1969 FRRouting#10 0x7f62ccaa5462 in frr_run lib/libfrr.c:1213 FRRouting#11 0x5623b87e054b in main bgpd/bgp_main.c:510 FRRouting#12 0x7f62cbae7c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 56 byte(s) in 7 object(s) allocated from: #0 0x7f62cd0c9b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) #1 0x7f62ccac1ee3 in qmalloc lib/memory.c:100 FRRouting#2 0x5623b8810eb8 in ecommunity_dup bgpd/bgp_ecommunity.c:256 FRRouting#3 0x5623b88be8eb in vpn_leak_from_vrf_update bgpd/bgp_mplsvpn.c:1628 FRRouting#4 0x5623b88c13b3 in vpn_leak_from_vrf_update_all bgpd/bgp_mplsvpn.c:2005 FRRouting#5 0x5623b89beabc in vpn_leak_postchange bgpd/bgp_mplsvpn.h:287 FRRouting#6 0x5623b89beabc in af_label_vpn_export_allocation_mode_magic bgpd/bgp_vty.c:9464 FRRouting#7 0x5623b89beabc in af_label_vpn_export_allocation_mode bgpd/bgp_vty_clippy.c:2809 FRRouting#8 0x7f62cca45511 in cmd_execute_command_real lib/command.c:978 FRRouting#9 0x7f62cca459d5 in cmd_execute_command lib/command.c:1036 FRRouting#10 0x7f62cca45e54 in cmd_execute lib/command.c:1203 FRRouting#11 0x7f62ccb6ee20 in vty_command lib/vty.c:591 FRRouting#12 0x7f62ccb6f2cb in vty_execute lib/vty.c:1354 FRRouting#13 0x7f62ccb77b95 in vtysh_read lib/vty.c:2362 FRRouting#14 0x7f62ccb62b8f in event_call lib/event.c:1969 FRRouting#15 0x7f62ccaa5462 in frr_run lib/libfrr.c:1213 FRRouting#16 0x5623b87e054b in main bgpd/bgp_main.c:510 FRRouting#17 0x7f62cbae7c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 56 byte(s) in 7 object(s) allocated from: #0 0x7f62cd0c9b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) #1 0x7f62ccac1ee3 in qmalloc lib/memory.c:100 FRRouting#2 0x5623b8810eb8 in ecommunity_dup bgpd/bgp_ecommunity.c:256 FRRouting#3 0x5623b88be8eb in vpn_leak_from_vrf_update bgpd/bgp_mplsvpn.c:1628 FRRouting#4 0x5623b892e86d in bgp_update bgpd/bgp_route.c:4969 FRRouting#5 0x5623b893134d in bgp_nlri_parse_ip bgpd/bgp_route.c:6213 FRRouting#6 0x5623b88e2a0e in bgp_nlri_parse bgpd/bgp_packet.c:341 FRRouting#7 0x5623b88e4f7c in bgp_update_receive bgpd/bgp_packet.c:2220 FRRouting#8 0x5623b88f0474 in bgp_process_packet bgpd/bgp_packet.c:3386 FRRouting#9 0x7f62ccb62b8f in event_call lib/event.c:1969 FRRouting#10 0x7f62ccaa5462 in frr_run lib/libfrr.c:1213 FRRouting#11 0x5623b87e054b in main bgpd/bgp_main.c:510 FRRouting#12 0x7f62cbae7c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 56 byte(s) in 7 object(s) allocated from: #0 0x7f62cd0c9b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) #1 0x7f62ccac1ee3 in qmalloc lib/memory.c:100 FRRouting#2 0x5623b8810eb8 in ecommunity_dup bgpd/bgp_ecommunity.c:256 FRRouting#3 0x5623b88be8eb in vpn_leak_from_vrf_update bgpd/bgp_mplsvpn.c:1628 FRRouting#4 0x5623b88c13b3 in vpn_leak_from_vrf_update_all bgpd/bgp_mplsvpn.c:2005 FRRouting#5 0x5623b89bdebb in vpn_leak_postchange bgpd/bgp_mplsvpn.h:287 FRRouting#6 0x5623b89bdebb in af_label_vpn_export_magic bgpd/bgp_vty.c:9547 FRRouting#7 0x5623b89bdebb in af_label_vpn_export bgpd/bgp_vty_clippy.c:2868 FRRouting#8 0x7f62cca45511 in cmd_execute_command_real lib/command.c:978 FRRouting#9 0x7f62cca459d5 in cmd_execute_command lib/command.c:1036 FRRouting#10 0x7f62cca45e54 in cmd_execute lib/command.c:1203 FRRouting#11 0x7f62ccb6ee20 in vty_command lib/vty.c:591 FRRouting#12 0x7f62ccb6f2cb in vty_execute lib/vty.c:1354 FRRouting#13 0x7f62ccb77b95 in vtysh_read lib/vty.c:2362 FRRouting#14 0x7f62ccb62b8f in event_call lib/event.c:1969 FRRouting#15 0x7f62ccaa5462 in frr_run lib/libfrr.c:1213 FRRouting#16 0x5623b87e054b in main bgpd/bgp_main.c:510 FRRouting#17 0x7f62cbae7c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 48 byte(s) in 6 object(s) allocated from: #0 0x7f62cd0c9b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) #1 0x7f62ccac1ee3 in qmalloc lib/memory.c:100 FRRouting#2 0x5623b8810eb8 in ecommunity_dup bgpd/bgp_ecommunity.c:256 FRRouting#3 0x5623b88be8eb in vpn_leak_from_vrf_update bgpd/bgp_mplsvpn.c:1628 FRRouting#4 0x5623b88dc289 in evaluate_paths bgpd/bgp_nht.c:1384 FRRouting#5 0x5623b88ddb0b in bgp_process_nexthop_update bgpd/bgp_nht.c:733 FRRouting#6 0x5623b88de027 in bgp_parse_nexthop_update bgpd/bgp_nht.c:934 FRRouting#7 0x5623b8a03163 in bgp_read_nexthop_update bgpd/bgp_zebra.c:104 FRRouting#8 0x7f62ccb92d8a in zclient_read lib/zclient.c:4425 FRRouting#9 0x7f62ccb62b8f in event_call lib/event.c:1969 FRRouting#10 0x7f62ccaa5462 in frr_run lib/libfrr.c:1213 FRRouting#11 0x5623b87e054b in main bgpd/bgp_main.c:510 FRRouting#12 0x7f62cbae7c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 24 byte(s) in 3 object(s) allocated from: #0 0x7f62cd0c9b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) #1 0x7f62ccac1ee3 in qmalloc lib/memory.c:100 FRRouting#2 0x5623b8810eb8 in ecommunity_dup bgpd/bgp_ecommunity.c:256 FRRouting#3 0x5623b88be8eb in vpn_leak_from_vrf_update bgpd/bgp_mplsvpn.c:1628 FRRouting#4 0x5623b893a406 in bgp_redistribute_add bgpd/bgp_route.c:8692 FRRouting#5 0x5623b8a02b3b in zebra_read_route bgpd/bgp_zebra.c:595 FRRouting#6 0x7f62ccb92d8a in zclient_read lib/zclient.c:4425 FRRouting#7 0x7f62ccb62b8f in event_call lib/event.c:1969 FRRouting#8 0x7f62ccaa5462 in frr_run lib/libfrr.c:1213 FRRouting#9 0x5623b87e054b in main bgpd/bgp_main.c:510 FRRouting#10 0x7f62cbae7c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 16 byte(s) in 2 object(s) allocated from: #0 0x7f62cd0c9b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) #1 0x7f62ccac1ee3 in qmalloc lib/memory.c:100 FRRouting#2 0x5623b8810eb8 in ecommunity_dup bgpd/bgp_ecommunity.c:256 FRRouting#3 0x5623b88be8eb in vpn_leak_from_vrf_update bgpd/bgp_mplsvpn.c:1628 FRRouting#4 0x5623b88dc188 in evaluate_paths bgpd/bgp_nht.c:1348 FRRouting#5 0x5623b88ddb0b in bgp_process_nexthop_update bgpd/bgp_nht.c:733 FRRouting#6 0x5623b88de027 in bgp_parse_nexthop_update bgpd/bgp_nht.c:934 FRRouting#7 0x5623b8a03163 in bgp_read_nexthop_update bgpd/bgp_zebra.c:104 FRRouting#8 0x7f62ccb92d8a in zclient_read lib/zclient.c:4425 FRRouting#9 0x7f62ccb62b8f in event_call lib/event.c:1969 FRRouting#10 0x7f62ccaa5462 in frr_run lib/libfrr.c:1213 FRRouting#11 0x5623b87e054b in main bgpd/bgp_main.c:510 FRRouting#12 0x7f62cbae7c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) SUMMARY: AddressSanitizer: 1536 byte(s) leaked in 64 allocation(s). *********************************************************************************** Address Sanitizer Error detected in bgp_vpnv4_per_nexthop_label.test_bgp_vpnv4_per_nexthop_label/r1.asan.bgpd.10610 ================================================================= ==10610==ERROR: LeakSanitizer: detected memory leaks Direct leak of 280 byte(s) in 7 object(s) allocated from: #0 0x7f81fc562d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x7f81fbf5b1c3 in qcalloc lib/memory.c:105 FRRouting#2 0x55cdc9b28dc8 in ecommunity_dup bgpd/bgp_ecommunity.c:252 FRRouting#3 0x55cdc9bd68eb in vpn_leak_from_vrf_update bgpd/bgp_mplsvpn.c:1628 FRRouting#4 0x55cdc9c4686d in bgp_update bgpd/bgp_route.c:4969 FRRouting#5 0x55cdc9c4934d in bgp_nlri_parse_ip bgpd/bgp_route.c:6213 FRRouting#6 0x55cdc9bfaa0e in bgp_nlri_parse bgpd/bgp_packet.c:341 FRRouting#7 0x55cdc9bfcf7c in bgp_update_receive bgpd/bgp_packet.c:2220 FRRouting#8 0x55cdc9c08474 in bgp_process_packet bgpd/bgp_packet.c:3386 FRRouting#9 0x7f81fbffbb8f in event_call lib/event.c:1969 FRRouting#10 0x7f81fbf3e462 in frr_run lib/libfrr.c:1213 FRRouting#11 0x55cdc9af854b in main bgpd/bgp_main.c:510 FRRouting#12 0x7f81faf80c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Direct leak of 280 byte(s) in 7 object(s) allocated from: #0 0x7f81fc562d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x7f81fbf5b1c3 in qcalloc lib/memory.c:105 FRRouting#2 0x55cdc9b28dc8 in ecommunity_dup bgpd/bgp_ecommunity.c:252 FRRouting#3 0x55cdc9bd68eb in vpn_leak_from_vrf_update bgpd/bgp_mplsvpn.c:1628 FRRouting#4 0x55cdc9bd93b3 in vpn_leak_from_vrf_update_all bgpd/bgp_mplsvpn.c:2005 FRRouting#5 0x55cdc9cd6abc in vpn_leak_postchange bgpd/bgp_mplsvpn.h:287 FRRouting#6 0x55cdc9cd6abc in af_label_vpn_export_allocation_mode_magic bgpd/bgp_vty.c:9464 FRRouting#7 0x55cdc9cd6abc in af_label_vpn_export_allocation_mode bgpd/bgp_vty_clippy.c:2809 FRRouting#8 0x7f81fbede511 in cmd_execute_command_real lib/command.c:978 FRRouting#9 0x7f81fbede9d5 in cmd_execute_command lib/command.c:1036 FRRouting#10 0x7f81fbedee54 in cmd_execute lib/command.c:1203 FRRouting#11 0x7f81fc007e20 in vty_command lib/vty.c:591 FRRouting#12 0x7f81fc0082cb in vty_execute lib/vty.c:1354 FRRouting#13 0x7f81fc010b95 in vtysh_read lib/vty.c:2362 FRRouting#14 0x7f81fbffbb8f in event_call lib/event.c:1969 FRRouting#15 0x7f81fbf3e462 in frr_run lib/libfrr.c:1213 FRRouting#16 0x55cdc9af854b in main bgpd/bgp_main.c:510 FRRouting#17 0x7f81faf80c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Direct leak of 280 byte(s) in 7 object(s) allocated from: #0 0x7f81fc562d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x7f81fbf5b1c3 in qcalloc lib/memory.c:105 FRRouting#2 0x55cdc9b28dc8 in ecommunity_dup bgpd/bgp_ecommunity.c:252 FRRouting#3 0x55cdc9bd68eb in vpn_leak_from_vrf_update bgpd/bgp_mplsvpn.c:1628 FRRouting#4 0x55cdc9bd93b3 in vpn_leak_from_vrf_update_all bgpd/bgp_mplsvpn.c:2005 FRRouting#5 0x55cdc9cd5ebb in vpn_leak_postchange bgpd/bgp_mplsvpn.h:287 FRRouting#6 0x55cdc9cd5ebb in af_label_vpn_export_magic bgpd/bgp_vty.c:9547 FRRouting#7 0x55cdc9cd5ebb in af_label_vpn_export bgpd/bgp_vty_clippy.c:2868 FRRouting#8 0x7f81fbede511 in cmd_execute_command_real lib/command.c:978 FRRouting#9 0x7f81fbede9d5 in cmd_execute_command lib/command.c:1036 FRRouting#10 0x7f81fbedee54 in cmd_execute lib/command.c:1203 FRRouting#11 0x7f81fc007e20 in vty_command lib/vty.c:591 FRRouting#12 0x7f81fc0082cb in vty_execute lib/vty.c:1354 FRRouting#13 0x7f81fc010b95 in vtysh_read lib/vty.c:2362 FRRouting#14 0x7f81fbffbb8f in event_call lib/event.c:1969 FRRouting#15 0x7f81fbf3e462 in frr_run lib/libfrr.c:1213 FRRouting#16 0x55cdc9af854b in main bgpd/bgp_main.c:510 FRRouting#17 0x7f81faf80c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Direct leak of 240 byte(s) in 6 object(s) allocated from: #0 0x7f81fc562d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x7f81fbf5b1c3 in qcalloc lib/memory.c:105 FRRouting#2 0x55cdc9b28dc8 in ecommunity_dup bgpd/bgp_ecommunity.c:252 FRRouting#3 0x55cdc9bd68eb in vpn_leak_from_vrf_update bgpd/bgp_mplsvpn.c:1628 FRRouting#4 0x55cdc9bf4289 in evaluate_paths bgpd/bgp_nht.c:1384 FRRouting#5 0x55cdc9bf5b0b in bgp_process_nexthop_update bgpd/bgp_nht.c:733 FRRouting#6 0x55cdc9bf6027 in bgp_parse_nexthop_update bgpd/bgp_nht.c:934 FRRouting#7 0x55cdc9d1b163 in bgp_read_nexthop_update bgpd/bgp_zebra.c:104 FRRouting#8 0x7f81fc02bd8a in zclient_read lib/zclient.c:4425 FRRouting#9 0x7f81fbffbb8f in event_call lib/event.c:1969 FRRouting#10 0x7f81fbf3e462 in frr_run lib/libfrr.c:1213 FRRouting#11 0x55cdc9af854b in main bgpd/bgp_main.c:510 FRRouting#12 0x7f81faf80c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Direct leak of 80 byte(s) in 2 object(s) allocated from: #0 0x7f81fc562d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x7f81fbf5b1c3 in qcalloc lib/memory.c:105 FRRouting#2 0x55cdc9b28dc8 in ecommunity_dup bgpd/bgp_ecommunity.c:252 FRRouting#3 0x55cdc9bd68eb in vpn_leak_from_vrf_update bgpd/bgp_mplsvpn.c:1628 FRRouting#4 0x55cdc9bf4188 in evaluate_paths bgpd/bgp_nht.c:1348 FRRouting#5 0x55cdc9bf5b0b in bgp_process_nexthop_update bgpd/bgp_nht.c:733 FRRouting#6 0x55cdc9bf6027 in bgp_parse_nexthop_update bgpd/bgp_nht.c:934 FRRouting#7 0x55cdc9d1b163 in bgp_read_nexthop_update bgpd/bgp_zebra.c:104 FRRouting#8 0x7f81fc02bd8a in zclient_read lib/zclient.c:4425 FRRouting#9 0x7f81fbffbb8f in event_call lib/event.c:1969 FRRouting#10 0x7f81fbf3e462 in frr_run lib/libfrr.c:1213 FRRouting#11 0x55cdc9af854b in main bgpd/bgp_main.c:510 FRRouting#12 0x7f81faf80c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Direct leak of 80 byte(s) in 2 object(s) allocated from: #0 0x7f81fc562d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x7f81fbf5b1c3 in qcalloc lib/memory.c:105 FRRouting#2 0x55cdc9b28dc8 in ecommunity_dup bgpd/bgp_ecommunity.c:252 FRRouting#3 0x55cdc9bd68eb in vpn_leak_from_vrf_update bgpd/bgp_mplsvpn.c:1628 FRRouting#4 0x55cdc9bd93b3 in vpn_leak_from_vrf_update_all bgpd/bgp_mplsvpn.c:2005 FRRouting#5 0x55cdc9bdafd5 in vpn_leak_postchange bgpd/bgp_mplsvpn.h:287 FRRouting#6 0x55cdc9bdafd5 in vpn_leak_label_callback bgpd/bgp_mplsvpn.c:581 FRRouting#7 0x55cdc9bb2606 in lp_cbq_docallback bgpd/bgp_labelpool.c:118 FRRouting#8 0x7f81fc0164b5 in work_queue_run lib/workqueue.c:266 FRRouting#9 0x7f81fbffbb8f in event_call lib/event.c:1969 FRRouting#10 0x7f81fbf3e462 in frr_run lib/libfrr.c:1213 FRRouting#11 0x55cdc9af854b in main bgpd/bgp_main.c:510 FRRouting#12 0x7f81faf80c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Direct leak of 40 byte(s) in 1 object(s) allocated from: #0 0x7f81fc562d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x7f81fbf5b1c3 in qcalloc lib/memory.c:105 FRRouting#2 0x55cdc9b28dc8 in ecommunity_dup bgpd/bgp_ecommunity.c:252 FRRouting#3 0x55cdc9bd68eb in vpn_leak_from_vrf_update bgpd/bgp_mplsvpn.c:1628 FRRouting#4 0x55cdc9c52406 in bgp_redistribute_add bgpd/bgp_route.c:8692 FRRouting#5 0x55cdc9d1ab3b in zebra_read_route bgpd/bgp_zebra.c:595 FRRouting#6 0x7f81fc02bd8a in zclient_read lib/zclient.c:4425 FRRouting#7 0x7f81fbffbb8f in event_call lib/event.c:1969 FRRouting#8 0x7f81fbf3e462 in frr_run lib/libfrr.c:1213 FRRouting#9 0x55cdc9af854b in main bgpd/bgp_main.c:510 FRRouting#10 0x7f81faf80c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 56 byte(s) in 7 object(s) allocated from: #0 0x7f81fc562b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) #1 0x7f81fbf5aee3 in qmalloc lib/memory.c:100 FRRouting#2 0x55cdc9b28eb8 in ecommunity_dup bgpd/bgp_ecommunity.c:256 FRRouting#3 0x55cdc9bd68eb in vpn_leak_from_vrf_update bgpd/bgp_mplsvpn.c:1628 FRRouting#4 0x55cdc9bd93b3 in vpn_leak_from_vrf_update_all bgpd/bgp_mplsvpn.c:2005 FRRouting#5 0x55cdc9cd6abc in vpn_leak_postchange bgpd/bgp_mplsvpn.h:287 FRRouting#6 0x55cdc9cd6abc in af_label_vpn_export_allocation_mode_magic bgpd/bgp_vty.c:9464 FRRouting#7 0x55cdc9cd6abc in af_label_vpn_export_allocation_mode bgpd/bgp_vty_clippy.c:2809 FRRouting#8 0x7f81fbede511 in cmd_execute_command_real lib/command.c:978 FRRouting#9 0x7f81fbede9d5 in cmd_execute_command lib/command.c:1036 FRRouting#10 0x7f81fbedee54 in cmd_execute lib/command.c:1203 FRRouting#11 0x7f81fc007e20 in vty_command lib/vty.c:591 FRRouting#12 0x7f81fc0082cb in vty_execute lib/vty.c:1354 FRRouting#13 0x7f81fc010b95 in vtysh_read lib/vty.c:2362 FRRouting#14 0x7f81fbffbb8f in event_call lib/event.c:1969 FRRouting#15 0x7f81fbf3e462 in frr_run lib/libfrr.c:1213 FRRouting#16 0x55cdc9af854b in main bgpd/bgp_main.c:510 FRRouting#17 0x7f81faf80c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 56 byte(s) in 7 object(s) allocated from: #0 0x7f81fc562b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) #1 0x7f81fbf5aee3 in qmalloc lib/memory.c:100 FRRouting#2 0x55cdc9b28eb8 in ecommunity_dup bgpd/bgp_ecommunity.c:256 FRRouting#3 0x55cdc9bd68eb in vpn_leak_from_vrf_update bgpd/bgp_mplsvpn.c:1628 FRRouting#4 0x55cdc9bd93b3 in vpn_leak_from_vrf_update_all bgpd/bgp_mplsvpn.c:2005 FRRouting#5 0x55cdc9cd5ebb in vpn_leak_postchange bgpd/bgp_mplsvpn.h:287 FRRouting#6 0x55cdc9cd5ebb in af_label_vpn_export_magic bgpd/bgp_vty.c:9547 FRRouting#7 0x55cdc9cd5ebb in af_label_vpn_export bgpd/bgp_vty_clippy.c:2868 FRRouting#8 0x7f81fbede511 in cmd_execute_command_real lib/command.c:978 FRRouting#9 0x7f81fbede9d5 in cmd_execute_command lib/command.c:1036 FRRouting#10 0x7f81fbedee54 in cmd_execute lib/command.c:1203 FRRouting#11 0x7f81fc007e20 in vty_command lib/vty.c:591 FRRouting#12 0x7f81fc0082cb in vty_execute lib/vty.c:1354 FRRouting#13 0x7f81fc010b95 in vtysh_read lib/vty.c:2362 FRRouting#14 0x7f81fbffbb8f in event_call lib/event.c:1969 FRRouting#15 0x7f81fbf3e462 in frr_run lib/libfrr.c:1213 FRRouting#16 0x55cdc9af854b in main bgpd/bgp_main.c:510 FRRouting#17 0x7f81faf80c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 56 byte(s) in 7 object(s) allocated from: #0 0x7f81fc562b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) #1 0x7f81fbf5aee3 in qmalloc lib/memory.c:100 FRRouting#2 0x55cdc9b28eb8 in ecommunity_dup bgpd/bgp_ecommunity.c:256 FRRouting#3 0x55cdc9bd68eb in vpn_leak_from_vrf_update bgpd/bgp_mplsvpn.c:1628 FRRouting#4 0x55cdc9c4686d in bgp_update bgpd/bgp_route.c:4969 FRRouting#5 0x55cdc9c4934d in bgp_nlri_parse_ip bgpd/bgp_route.c:6213 FRRouting#6 0x55cdc9bfaa0e in bgp_nlri_parse bgpd/bgp_packet.c:341 FRRouting#7 0x55cdc9bfcf7c in bgp_update_receive bgpd/bgp_packet.c:2220 FRRouting#8 0x55cdc9c08474 in bgp_process_packet bgpd/bgp_packet.c:3386 FRRouting#9 0x7f81fbffbb8f in event_call lib/event.c:1969 FRRouting#10 0x7f81fbf3e462 in frr_run lib/libfrr.c:1213 FRRouting#11 0x55cdc9af854b in main bgpd/bgp_main.c:510 FRRouting#12 0x7f81faf80c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 48 byte(s) in 6 object(s) allocated from: #0 0x7f81fc562b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) #1 0x7f81fbf5aee3 in qmalloc lib/memory.c:100 FRRouting#2 0x55cdc9b28eb8 in ecommunity_dup bgpd/bgp_ecommunity.c:256 FRRouting#3 0x55cdc9bd68eb in vpn_leak_from_vrf_update bgpd/bgp_mplsvpn.c:1628 FRRouting#4 0x55cdc9bf4289 in evaluate_paths bgpd/bgp_nht.c:1384 FRRouting#5 0x55cdc9bf5b0b in bgp_process_nexthop_update bgpd/bgp_nht.c:733 FRRouting#6 0x55cdc9bf6027 in bgp_parse_nexthop_update bgpd/bgp_nht.c:934 FRRouting#7 0x55cdc9d1b163 in bgp_read_nexthop_update bgpd/bgp_zebra.c:104 FRRouting#8 0x7f81fc02bd8a in zclient_read lib/zclient.c:4425 FRRouting#9 0x7f81fbffbb8f in event_call lib/event.c:1969 FRRouting#10 0x7f81fbf3e462 in frr_run lib/libfrr.c:1213 FRRouting#11 0x55cdc9af854b in main bgpd/bgp_main.c:510 FRRouting#12 0x7f81faf80c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 16 byte(s) in 2 object(s) allocated from: #0 0x7f81fc562b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) #1 0x7f81fbf5aee3 in qmalloc lib/memory.c:100 FRRouting#2 0x55cdc9b28eb8 in ecommunity_dup bgpd/bgp_ecommunity.c:256 FRRouting#3 0x55cdc9bd68eb in vpn_leak_from_vrf_update bgpd/bgp_mplsvpn.c:1628 FRRouting#4 0x55cdc9bf4188 in evaluate_paths bgpd/bgp_nht.c:1348 FRRouting#5 0x55cdc9bf5b0b in bgp_process_nexthop_update bgpd/bgp_nht.c:733 FRRouting#6 0x55cdc9bf6027 in bgp_parse_nexthop_update bgpd/bgp_nht.c:934 FRRouting#7 0x55cdc9d1b163 in bgp_read_nexthop_update bgpd/bgp_zebra.c:104 FRRouting#8 0x7f81fc02bd8a in zclient_read lib/zclient.c:4425 FRRouting#9 0x7f81fbffbb8f in event_call lib/event.c:1969 FRRouting#10 0x7f81fbf3e462 in frr_run lib/libfrr.c:1213 FRRouting#11 0x55cdc9af854b in main bgpd/bgp_main.c:510 FRRouting#12 0x7f81faf80c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 16 byte(s) in 2 object(s) allocated from: #0 0x7f81fc562b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) #1 0x7f81fbf5aee3 in qmalloc lib/memory.c:100 FRRouting#2 0x55cdc9b28eb8 in ecommunity_dup bgpd/bgp_ecommunity.c:256 FRRouting#3 0x55cdc9bd68eb in vpn_leak_from_vrf_update bgpd/bgp_mplsvpn.c:1628 FRRouting#4 0x55cdc9bd93b3 in vpn_leak_from_vrf_update_all bgpd/bgp_mplsvpn.c:2005 FRRouting#5 0x55cdc9bdafd5 in vpn_leak_postchange bgpd/bgp_mplsvpn.h:287 FRRouting#6 0x55cdc9bdafd5 in vpn_leak_label_callback bgpd/bgp_mplsvpn.c:581 FRRouting#7 0x55cdc9bb2606 in lp_cbq_docallback bgpd/bgp_labelpool.c:118 FRRouting#8 0x7f81fc0164b5 in work_queue_run lib/workqueue.c:266 FRRouting#9 0x7f81fbffbb8f in event_call lib/event.c:1969 FRRouting#10 0x7f81fbf3e462 in frr_run lib/libfrr.c:1213 FRRouting#11 0x55cdc9af854b in main bgpd/bgp_main.c:510 FRRouting#12 0x7f81faf80c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 8 byte(s) in 1 object(s) allocated from: #0 0x7f81fc562b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) #1 0x7f81fbf5aee3 in qmalloc lib/memory.c:100 FRRouting#2 0x55cdc9b28eb8 in ecommunity_dup bgpd/bgp_ecommunity.c:256 FRRouting#3 0x55cdc9bd68eb in vpn_leak_from_vrf_update bgpd/bgp_mplsvpn.c:1628 FRRouting#4 0x55cdc9c52406 in bgp_redistribute_add bgpd/bgp_route.c:8692 FRRouting#5 0x55cdc9d1ab3b in zebra_read_route bgpd/bgp_zebra.c:595 FRRouting#6 0x7f81fc02bd8a in zclient_read lib/zclient.c:4425 FRRouting#7 0x7f81fbffbb8f in event_call lib/event.c:1969 FRRouting#8 0x7f81fbf3e462 in frr_run lib/libfrr.c:1213 FRRouting#9 0x55cdc9af854b in main bgpd/bgp_main.c:510 FRRouting#10 0x7f81faf80c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) SUMMARY: AddressSanitizer: 1536 byte(s) leaked in 64 allocation(s). *********************************************************************************** Signed-off-by: ryndia <[email protected]> (cherry picked from commit 78b6cad)
Fix a crash because a use-after-free. > ================================================================= > ==1249835==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000074210 at pc 0x7fa1b42a652c bp 0x7ffc477a2aa0 sp 0x7ffc477a2a98 > READ of size 8 at 0x604000074210 thread T0 > #0 0x7fa1b42a652b in list_delete_all_node git/frr/lib/linklist.c:299:20 > #1 0x7fa1b42a683f in list_delete git/frr/lib/linklist.c:312:2 > FRRouting#2 0x5ee515 in dplane_ctx_free_internal git/frr/zebra/zebra_dplane.c:858:4 > FRRouting#3 0x5ee59c in dplane_ctx_free git/frr/zebra/zebra_dplane.c:884:2 > FRRouting#4 0x5ee544 in dplane_ctx_fini git/frr/zebra/zebra_dplane.c:905:2 > FRRouting#5 0x7045c0 in rib_process_dplane_results git/frr/zebra/zebra_rib.c:4928:4 > FRRouting#6 0x7fa1b4434fb2 in event_call git/frr/lib/event.c:1970:2 > FRRouting#7 0x7fa1b42a0ccf in frr_run git/frr/lib/libfrr.c:1213:3 > FRRouting#8 0x556808 in main git/frr/zebra/main.c:488:2 > FRRouting#9 0x7fa1b3d0bd09 in __libc_start_main csu/../csu/libc-start.c:308:16 > FRRouting#10 0x4453e9 in _start (/usr/lib/frr/zebra+0x4453e9) > > 0x604000074210 is located 0 bytes inside of 40-byte region [0x604000074210,0x604000074238) > freed by thread T0 here: > #0 0x4bf1dd in free (/usr/lib/frr/zebra+0x4bf1dd) > #1 0x7fa1b42df0c0 in qfree git/frr/lib/memory.c:130:2 > FRRouting#2 0x7fa1b42a68ce in list_free_internal git/frr/lib/linklist.c:24:2 > FRRouting#3 0x7fa1b42a6870 in list_delete git/frr/lib/linklist.c:313:2 > FRRouting#4 0x5ee515 in dplane_ctx_free_internal git/frr/zebra/zebra_dplane.c:858:4 > FRRouting#5 0x5ee59c in dplane_ctx_free git/frr/zebra/zebra_dplane.c:884:2 > FRRouting#6 0x5ee544 in dplane_ctx_fini git/frr/zebra/zebra_dplane.c:905:2 > FRRouting#7 0x7045c0 in rib_process_dplane_results git/frr/zebra/zebra_rib.c:4928:4 > FRRouting#8 0x7fa1b4434fb2 in event_call git/frr/lib/event.c:1970:2 > FRRouting#9 0x7fa1b42a0ccf in frr_run git/frr/lib/libfrr.c:1213:3 > FRRouting#10 0x556808 in main git/frr/zebra/main.c:488:2 > FRRouting#11 0x7fa1b3d0bd09 in __libc_start_main csu/../csu/libc-start.c:308:16 > > previously allocated by thread T0 here: > #0 0x4bf5d2 in calloc (/usr/lib/frr/zebra+0x4bf5d2) > #1 0x7fa1b42dee18 in qcalloc git/frr/lib/memory.c:105:27 > FRRouting#2 0x7fa1b42a3784 in list_new git/frr/lib/linklist.c:18:9 > FRRouting#3 0x6d165f in pbr_iptable_alloc_intern git/frr/zebra/zebra_pbr.c:1015:29 > FRRouting#4 0x7fa1b426ad1f in hash_get git/frr/lib/hash.c:147:13 > FRRouting#5 0x6d15f2 in zebra_pbr_add_iptable git/frr/zebra/zebra_pbr.c:1030:13 > FRRouting#6 0x5db2a3 in zread_iptable git/frr/zebra/zapi_msg.c:3759:3 > FRRouting#7 0x5e365d in zserv_handle_commands git/frr/zebra/zapi_msg.c:4039:3 > FRRouting#8 0x7e09fc in zserv_process_messages git/frr/zebra/zserv.c:520:3 > FRRouting#9 0x7fa1b4434fb2 in event_call git/frr/lib/event.c:1970:2 > FRRouting#10 0x7fa1b42a0ccf in frr_run git/frr/lib/libfrr.c:1213:3 > FRRouting#11 0x556808 in main git/frr/zebra/main.c:488:2 > FRRouting#12 0x7fa1b3d0bd09 in __libc_start_main csu/../csu/libc-start.c:308:16 Fixes: 1cc3806 ("zebra: Actually free all memory associated ctx->u.iptable.interface_name_list") Signed-off-by: Louis Scalbert <[email protected]> (cherry picked from commit 45140bb)
Fix bgp_best_selection heap-use-after-free > ==2521540==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000032810 at pc 0x000000716f45 bp 0x7ffedc6229d0 sp 0x7ffedc6229c8 > READ of size 8 at 0x60d000032810 thread T0 > #0 0x716f44 in bgp_best_selection /home/lscalber/git/frr/bgpd/bgp_route.c:2834:5 > #1 0x71a05e in bgp_process_main_one /home/lscalber/git/frr/bgpd/bgp_route.c:3344:2 > FRRouting#2 0x71c265 in bgp_process_wq /home/lscalber/git/frr/bgpd/bgp_route.c:3622:3 > FRRouting#3 0x7fe630a6669c in work_queue_run /home/lscalber/git/frr/lib/workqueue.c:282:10 > FRRouting#4 0x7fe630a294e2 in event_call /home/lscalber/git/frr/lib/event.c:1974:2 > FRRouting#5 0x7fe630898f3f in frr_run /home/lscalber/git/frr/lib/libfrr.c:1214:3 > FRRouting#6 0x4f4ace in main /home/lscalber/git/frr/bgpd/bgp_main.c:510:2 > FRRouting#7 0x7fe63018bd09 in __libc_start_main csu/../csu/libc-start.c:308:16 > FRRouting#8 0x449629 in _start (/usr/lib/frr/bgpd+0x449629) > > 0x60d000032810 is located 48 bytes inside of 144-byte region [0x60d0000327e0,0x60d000032870) > freed by thread T0 here: > #0 0x4c341d in free (/usr/lib/frr/bgpd+0x4c341d) > #1 0x7fe6308d7420 in qfree /home/lscalber/git/frr/lib/memory.c:130:2 > FRRouting#2 0x702632 in bgp_path_info_free_with_caller /home/lscalber/git/frr/bgpd/bgp_route.c:300:2 > FRRouting#3 0x702023 in bgp_path_info_unlock /home/lscalber/git/frr/bgpd/bgp_route.c:315:3 > FRRouting#4 0x703bc6 in bgp_path_info_reap /home/lscalber/git/frr/bgpd/bgp_route.c:461:2 > FRRouting#5 0x716e5d in bgp_best_selection /home/lscalber/git/frr/bgpd/bgp_route.c:2829:12 > FRRouting#6 0x71a05e in bgp_process_main_one /home/lscalber/git/frr/bgpd/bgp_route.c:3344:2 > FRRouting#7 0x71c265 in bgp_process_wq /home/lscalber/git/frr/bgpd/bgp_route.c:3622:3 > FRRouting#8 0x7fe630a6669c in work_queue_run /home/lscalber/git/frr/lib/workqueue.c:282:10 > FRRouting#9 0x7fe630a294e2 in event_call /home/lscalber/git/frr/lib/event.c:1974:2 > FRRouting#10 0x7fe630898f3f in frr_run /home/lscalber/git/frr/lib/libfrr.c:1214:3 > FRRouting#11 0x4f4ace in main /home/lscalber/git/frr/bgpd/bgp_main.c:510:2 > FRRouting#12 0x7fe63018bd09 in __libc_start_main csu/../csu/libc-start.c:308:16 > > previously allocated by thread T0 here: > #0 0x4c3812 in calloc (/usr/lib/frr/bgpd+0x4c3812) > #1 0x7fe6308d7178 in qcalloc /home/lscalber/git/frr/lib/memory.c:105:27 > FRRouting#2 0x71f5b4 in info_make /home/lscalber/git/frr/bgpd/bgp_route.c:3985:8 > FRRouting#3 0x725293 in bgp_update /home/lscalber/git/frr/bgpd/bgp_route.c:4881:8 > FRRouting#4 0x73083d in bgp_nlri_parse_ip /home/lscalber/git/frr/bgpd/bgp_route.c:6230:4 > FRRouting#5 0x6ba980 in bgp_nlri_parse /home/lscalber/git/frr/bgpd/bgp_packet.c:341:10 > FRRouting#6 0x6cca2a in bgp_update_receive /home/lscalber/git/frr/bgpd/bgp_packet.c:2412:15 > FRRouting#7 0x6c6788 in bgp_process_packet /home/lscalber/git/frr/bgpd/bgp_packet.c:3887:11 > FRRouting#8 0x7fe630a294e2 in event_call /home/lscalber/git/frr/lib/event.c:1974:2 > FRRouting#9 0x7fe630898f3f in frr_run /home/lscalber/git/frr/lib/libfrr.c:1214:3 > FRRouting#10 0x4f4ace in main /home/lscalber/git/frr/bgpd/bgp_main.c:510:2 > FRRouting#11 0x7fe63018bd09 in __libc_start_main csu/../csu/libc-start.c:308:16 Fixes: ddb5b48 ("bgpd: vpn-vrf route leaking") Signed-off-by: Louis Scalbert <[email protected]> Signed-off-by: Donatas Abraitis <[email protected]>
Implement proper memory cleanup for SRv6 functions and locator chunks to prevent potential memory leaks. The list callback deletion functions have been set. The ASan leak log for reference: ``` *********************************************************************************** Address Sanitizer Error detected in bgp_srv6l3vpn_to_bgp_vrf.test_bgp_srv6l3vpn_to_bgp_vrf/r2.asan.bgpd.4180 ================================================================= ==4180==ERROR: LeakSanitizer: detected memory leaks Direct leak of 544 byte(s) in 2 object(s) allocated from: #0 0x7f8d176a0d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x7f8d1709f238 in qcalloc lib/memory.c:105 FRRouting#2 0x55d5dba6ee75 in sid_register bgpd/bgp_mplsvpn.c:591 FRRouting#3 0x55d5dba6ee75 in alloc_new_sid bgpd/bgp_mplsvpn.c:712 FRRouting#4 0x55d5dba6f3ce in ensure_vrf_tovpn_sid_per_af bgpd/bgp_mplsvpn.c:758 FRRouting#5 0x55d5dba6fb94 in ensure_vrf_tovpn_sid bgpd/bgp_mplsvpn.c:849 FRRouting#6 0x55d5dba7f975 in vpn_leak_postchange bgpd/bgp_mplsvpn.h:299 FRRouting#7 0x55d5dba7f975 in vpn_leak_postchange_all bgpd/bgp_mplsvpn.c:3704 FRRouting#8 0x55d5dbbb6c66 in bgp_zebra_process_srv6_locator_chunk bgpd/bgp_zebra.c:3164 FRRouting#9 0x7f8d1716f08a in zclient_read lib/zclient.c:4459 FRRouting#10 0x7f8d1713f034 in event_call lib/event.c:1974 FRRouting#11 0x7f8d1708242b in frr_run lib/libfrr.c:1214 FRRouting#12 0x55d5db99d19d in main bgpd/bgp_main.c:510 FRRouting#13 0x7f8d160c5c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Direct leak of 296 byte(s) in 1 object(s) allocated from: #0 0x7f8d176a0d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x7f8d1709f238 in qcalloc lib/memory.c:105 FRRouting#2 0x7f8d170b1d5f in srv6_locator_chunk_alloc lib/srv6.c:135 FRRouting#3 0x55d5dbbb6a19 in bgp_zebra_process_srv6_locator_chunk bgpd/bgp_zebra.c:3144 FRRouting#4 0x7f8d1716f08a in zclient_read lib/zclient.c:4459 FRRouting#5 0x7f8d1713f034 in event_call lib/event.c:1974 FRRouting#6 0x7f8d1708242b in frr_run lib/libfrr.c:1214 FRRouting#7 0x55d5db99d19d in main bgpd/bgp_main.c:510 FRRouting#8 0x7f8d160c5c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) *********************************************************************************** ``` Signed-off-by: Keelan Cannoo <[email protected]> (cherry picked from commit 8e7044b)
The asan memory leak has been detected: > Direct leak of 16 byte(s) in 1 object(s) allocated from: > #0 0x7f9066dadd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) > #1 0x7f9066779b5d in qcalloc lib/memory.c:105 > FRRouting#2 0x556d6ca527c2 in vpn_leak_zebra_vrf_sid_update_per_af bgpd/bgp_mplsvpn.c:389 > FRRouting#3 0x556d6ca530e1 in vpn_leak_zebra_vrf_sid_update bgpd/bgp_mplsvpn.c:451 > FRRouting#4 0x556d6ca64b3b in vpn_leak_postchange bgpd/bgp_mplsvpn.h:311 > FRRouting#5 0x556d6ca64b3b in vpn_leak_postchange_all bgpd/bgp_mplsvpn.c:3751 > FRRouting#6 0x556d6cb9f116 in bgp_zebra_process_srv6_locator_chunk bgpd/bgp_zebra.c:3337 > FRRouting#7 0x7f906685a6b6 in zclient_read lib/zclient.c:4490 > FRRouting#8 0x7f9066826a32 in event_call lib/event.c:2011 > FRRouting#9 0x7f906675c444 in frr_run lib/libfrr.c:1217 > FRRouting#10 0x556d6c980d52 in main bgpd/bgp_main.c:545 > FRRouting#11 0x7f9065784c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Fix this by freeing the previous memory chunk. Fixes: b72c9e1 ("bgpd: cli for SRv6 SID alloc to redirect to vrf (step4)") Fixes: 527588a ("bgpd: add support for per-VRF SRv6 SID") Signed-off-by: Philippe Guibert <[email protected]> (cherry picked from commit eea8a8a)
> ==2334217==ERROR: AddressSanitizer: heap-use-after-free on address 0x61000001d0a0 at pc 0x563828c8de6f bp 0x7fffbdaee560 sp 0x7fffbdaee558 > READ of size 1 at 0x61000001d0a0 thread T0 > #0 0x563828c8de6e in prefix_sid_cmp isisd/isis_spf.c:187 > #1 0x7f84b8204f71 in hash_get lib/hash.c:142 > FRRouting#2 0x7f84b82055ec in hash_lookup lib/hash.c:184 > FRRouting#3 0x563828c8e185 in isis_spf_prefix_sid_lookup isisd/isis_spf.c:209 > FRRouting#4 0x563828c90642 in isis_spf_add2tent isisd/isis_spf.c:598 > FRRouting#5 0x563828c91cd0 in process_N isisd/isis_spf.c:824 > FRRouting#6 0x563828c93852 in isis_spf_process_lsp isisd/isis_spf.c:1041 > FRRouting#7 0x563828c98dde in isis_spf_loop isisd/isis_spf.c:1821 > FRRouting#8 0x563828c998de in isis_run_spf isisd/isis_spf.c:1983 > FRRouting#9 0x563828c99c7b in isis_run_spf_with_protection isisd/isis_spf.c:2009 > FRRouting#10 0x563828c9a60d in isis_run_spf_cb isisd/isis_spf.c:2090 > FRRouting#11 0x7f84b835c72d in event_call lib/event.c:2011 > FRRouting#12 0x7f84b8236d93 in frr_run lib/libfrr.c:1217 > FRRouting#13 0x563828c21918 in main isisd/isis_main.c:346 > FRRouting#14 0x7f84b7e4fd09 in __libc_start_main ../csu/libc-start.c:308 > FRRouting#15 0x563828c20df9 in _start (/usr/lib/frr/isisd+0xf5df9) > > 0x61000001d0a0 is located 96 bytes inside of 184-byte region [0x61000001d040,0x61000001d0f8) > freed by thread T0 here: > #0 0x7f84b88a9b6f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:123 > #1 0x7f84b8263bae in qfree lib/memory.c:130 > FRRouting#2 0x563828c8e433 in isis_vertex_del isisd/isis_spf.c:249 > FRRouting#3 0x563828c91c95 in process_N isisd/isis_spf.c:811 > FRRouting#4 0x563828c93852 in isis_spf_process_lsp isisd/isis_spf.c:1041 > FRRouting#5 0x563828c98dde in isis_spf_loop isisd/isis_spf.c:1821 > FRRouting#6 0x563828c998de in isis_run_spf isisd/isis_spf.c:1983 > FRRouting#7 0x563828c99c7b in isis_run_spf_with_protection isisd/isis_spf.c:2009 > FRRouting#8 0x563828c9a60d in isis_run_spf_cb isisd/isis_spf.c:2090 > FRRouting#9 0x7f84b835c72d in event_call lib/event.c:2011 > FRRouting#10 0x7f84b8236d93 in frr_run lib/libfrr.c:1217 > FRRouting#11 0x563828c21918 in main isisd/isis_main.c:346 > FRRouting#12 0x7f84b7e4fd09 in __libc_start_main ../csu/libc-start.c:308 > > previously allocated by thread T0 here: > #0 0x7f84b88aa037 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 > #1 0x7f84b8263a6c in qcalloc lib/memory.c:105 > FRRouting#2 0x563828c8e262 in isis_vertex_new isisd/isis_spf.c:225 > FRRouting#3 0x563828c904db in isis_spf_add2tent isisd/isis_spf.c:588 > FRRouting#4 0x563828c91cd0 in process_N isisd/isis_spf.c:824 > FRRouting#5 0x563828c93852 in isis_spf_process_lsp isisd/isis_spf.c:1041 > FRRouting#6 0x563828c98dde in isis_spf_loop isisd/isis_spf.c:1821 > FRRouting#7 0x563828c998de in isis_run_spf isisd/isis_spf.c:1983 > FRRouting#8 0x563828c99c7b in isis_run_spf_with_protection isisd/isis_spf.c:2009 > FRRouting#9 0x563828c9a60d in isis_run_spf_cb isisd/isis_spf.c:2090 > FRRouting#10 0x7f84b835c72d in event_call lib/event.c:2011 > FRRouting#11 0x7f84b8236d93 in frr_run lib/libfrr.c:1217 > FRRouting#12 0x563828c21918 in main isisd/isis_main.c:346 > FRRouting#13 0x7f84b7e4fd09 in __libc_start_main ../csu/libc-start.c:308 > > SUMMARY: AddressSanitizer: heap-use-after-free isisd/isis_spf.c:187 in prefix_sid_cmp > Shadow bytes around the buggy address: > 0x0c207fffb9c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 > 0x0c207fffb9d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa > 0x0c207fffb9e0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 > 0x0c207fffb9f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa > 0x0c207fffba00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd > =>0x0c207fffba10: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fa > 0x0c207fffba20: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 > 0x0c207fffba30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa > 0x0c207fffba40: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 > 0x0c207fffba50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa > 0x0c207fffba60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb > Shadow gap: cc > ==2334217==ABORTING Fixes: 2f7cc7b ("isisd: detect Prefix-SID collisions and handle them appropriately") Signed-off-by: Louis Scalbert <[email protected]> (cherry picked from commit e697de5)
- Addressed memory leak by removing `&c->peer_notifier` from the notifier list on termination. Retaining it caused the notifier list to stay active, preventing the deletion of `c->cur.peer` thereby causing a memory leak. - Reordered termination steps to call `vrf_terminate` before `nhrp_vc_terminate`, preventing a heap-use-after-free issue when `nhrp_vc_notify_del` is invoked in `nhrp_peer_check_delete`. - Added an if statement to avoid passing NULL as hash to `hash_release`, which leads to a SIGSEGV. The ASan leak log for reference: ``` *********************************************************************************** Address Sanitizer Error detected in nhrp_topo.test_nhrp_topo/r1.asan.nhrpd.20265 ================================================================= ==20265==ERROR: LeakSanitizer: detected memory leaks Direct leak of 112 byte(s) in 1 object(s) allocated from: #0 0x7f80270c9b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) #1 0x7f8026ac1eb8 in qmalloc lib/memory.c:100 FRRouting#2 0x560fd648f0a6 in nhrp_peer_create nhrpd/nhrp_peer.c:175 FRRouting#3 0x7f8026a88d3f in hash_get lib/hash.c:147 FRRouting#4 0x560fd6490a5d in nhrp_peer_get nhrpd/nhrp_peer.c:228 FRRouting#5 0x560fd648a51a in nhrp_nhs_resolve_cb nhrpd/nhrp_nhs.c:297 FRRouting#6 0x7f80266b000f in resolver_cb_literal lib/resolver.c:234 FRRouting#7 0x7f8026b62e0e in event_call lib/event.c:1969 FRRouting#8 0x7f8026aa5437 in frr_run lib/libfrr.c:1213 FRRouting#9 0x560fd6488b4f in main nhrpd/nhrp_main.c:166 FRRouting#10 0x7f8025eb2c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) SUMMARY: AddressSanitizer: 112 byte(s) leaked in 1 allocation(s). *********************************************************************************** *********************************************************************************** Address Sanitizer Error detected in nhrp_topo.test_nhrp_topo/r2.asan.nhrpd.20400 ================================================================= ==20400==ERROR: LeakSanitizer: detected memory leaks Direct leak of 112 byte(s) in 1 object(s) allocated from: #0 0x7fb6e3ca5b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) #1 0x7fb6e369deb8 in qmalloc lib/memory.c:100 FRRouting#2 0x562652de40a6 in nhrp_peer_create nhrpd/nhrp_peer.c:175 FRRouting#3 0x7fb6e3664d3f in hash_get lib/hash.c:147 FRRouting#4 0x562652de5a5d in nhrp_peer_get nhrpd/nhrp_peer.c:228 FRRouting#5 0x562652de1e8e in nhrp_packet_recvraw nhrpd/nhrp_packet.c:325 FRRouting#6 0x7fb6e373ee0e in event_call lib/event.c:1969 FRRouting#7 0x7fb6e3681437 in frr_run lib/libfrr.c:1213 FRRouting#8 0x562652dddb4f in main nhrpd/nhrp_main.c:166 FRRouting#9 0x7fb6e2a8ec86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) SUMMARY: AddressSanitizer: 112 byte(s) leaked in 1 allocation(s). *********************************************************************************** ``` Signed-off-by: Keelan Cannoo <[email protected]> (cherry picked from commit d163f89)
… the fragmented LSP 1. When the root IS regenerates an LSP, it calls lsp_build() -> lsp_clear_data() to free the TLV memory of the first fragment and all other fragments. If the number of fragments in the regenerated LSP decreases or if no fragmentation is needed, the extra LSP fragments are not immediately deleted. Instead, lsp_seqno_update() -> lsp_purge() is called to set the remaining time to zero and start aging, while also notifying other IS nodes to age these fragments. lsp_purge() usually does not reset lsp->hdr.seqno to zero because the LSP might recover during the aging process. 2. When other IS nodes receive an LSP, they always call process_lsp() -> isis_unpack_tlvs() to allocate TLV memory for the LSP. This does not differentiate whether the received LSP has a remaining lifetime of zero. Therefore, it is rare for an LSP of a non-root IS to have empty TLVs. Of course, if an LSP with a remaining time of zero and already corrupted is received, lsp_update() -> lsp_purge() will be called to free the TLV memory of the LSP, but this scenario is rare. 3. In LFA calculations, neighbors of the root IS are traversed, and each neighbor is taken as a new root to compute the neighbor SPT. During this process, the old root IS will serve as a neighbor of the new root IS, triggering a call to isis_spf_process_lsp() to parse the LSP of the old root IS and obtain its IP vertices and neighboring IS vertices. However, isis_spf_process_lsp() only checks whether the TLVs in the first fragment of the LSP exist, and does not check the TLVs in the fragmented LSP. If the TLV memory of the fragmented LSP of the old root IS has been freed, it can lead to a null pointer access, causing the current crash. Additionally, for the base SPT, there are only two places where the LSP of the root IS is parsed: 1. When obtaining the UP neighbors of the root IS via spf_adj_list_parse_lsp(). 2. When preloading the IP vertices of the root IS via isis_lsp_iterate_ip_reach(). Both of these checks ensure that frag->tlvs is not null, and they do not subsequently call isis_spf_process_lsp() to parse the root IS's LSP. It is very rare for non-root IS LSPs to have empty TLVs unless they are corrupted LSPs awaiting deletion. If it happens, a crash will occur. The backtrace is as follows: (gdb) bt #0 0x00007f3097281fe1 in raise () from /lib/x86_64-linux-gnu/libpthread.so.0 #1 0x00007f30973a2972 in core_handler (signo=11, siginfo=0x7ffce66c2870, context=0x7ffce66c2740) at ../lib/sigevent.c:261 FRRouting#2 <signal handler called> FRRouting#3 0x000055dfa805512b in isis_spf_process_lsp (spftree=0x55dfa950eee0, lsp=0x55dfa94cb590, cost=10, depth=1, root_sysid=0x55dfa950ef6c "", parent=0x55dfa952fca0) at ../isisd/isis_spf.c:898 FRRouting#4 0x000055dfa805743b in isis_spf_loop (spftree=0x55dfa950eee0, root_sysid=0x55dfa950ef6c "") at ../isisd/isis_spf.c:1688 FRRouting#5 0x000055dfa805784f in isis_run_spf (spftree=0x55dfa950eee0) at ../isisd/isis_spf.c:1808 FRRouting#6 0x000055dfa8037ff5 in isis_spf_run_neighbors (spftree=0x55dfa9474440) at ../isisd/isis_lfa.c:1259 FRRouting#7 0x000055dfa803ac17 in isis_spf_run_lfa (area=0x55dfa9477510, spftree=0x55dfa9474440) at ../isisd/isis_lfa.c:2300 FRRouting#8 0x000055dfa8057964 in isis_run_spf_with_protection (area=0x55dfa9477510, spftree=0x55dfa9474440) at ../isisd/isis_spf.c:1827 FRRouting#9 0x000055dfa8057c15 in isis_run_spf_cb (thread=0x7ffce66c38e0) at ../isisd/isis_spf.c:1889 FRRouting#10 0x00007f30973bbf04 in thread_call (thread=0x7ffce66c38e0) at ../lib/thread.c:1990 FRRouting#11 0x00007f309735497b in frr_run (master=0x55dfa91733c0) at ../lib/libfrr.c:1198 FRRouting#12 0x000055dfa8029d5d in main (argc=5, argv=0x7ffce66c3b08, envp=0x7ffce66c3b38) at ../isisd/isis_main.c:273 (gdb) f 3 FRRouting#3 0x000055dfa805512b in isis_spf_process_lsp (spftree=0x55dfa950eee0, lsp=0x55dfa94cb590, cost=10, depth=1, root_sysid=0x55dfa950ef6c "", parent=0x55dfa952fca0) at ../isisd/isis_spf.c:898 898 ../isisd/isis_spf.c: No such file or directory. (gdb) p te_neighs $1 = (struct isis_item_list *) 0x120 (gdb) p lsp->tlvs $2 = (struct isis_tlvs *) 0x0 (gdb) p lsp->hdr $3 = {pdu_len = 27, rem_lifetime = 0, lsp_id = "\000\000\000\000\000\001\000\001", seqno = 4, checksum = 59918, lsp_bits = 1 '\001'} The backtrace provided above pertains to version 8.5.4, but it seems that the same issue exists in the code of the master branch as well. I have reviewed the process for calculating the SPT based on the LSP, and isis_spf_process_lsp() is the only function that does not check whether the TLVs in the fragments are empty. Therefore, I believe that modifying this function alone should be sufficient. If the TLVs of the current fragment are already empty, we do not need to continue processing subsequent fragments. This is consistent with the behavior where we do not process fragments if the TLVs of the first fragment are empty. Of course, one could argue that lsp_purge() should still retain the TLV memory, freeing it and then reallocating it if needed. However, this is a debatable point because in some scenarios, it is permissible for the LSP to have empty TLVs. For example, after receiving an SNP (Sequence Number PDU) message, an empty LSP (with lsp->hdr.seqno = 0) might be created by calling lsp_new. If the corresponding LSP message is discarded due to domain or area authentication failure, the TLV memory wouldn't be allocated. Test scenario: In an LFA network, importing a sufficient number of static routes to cause LSP fragmentation, and then rolling back the imported static routes so that the LSP is no longer fragmented, can easily result in this issue. Signed-off-by: zhou-run <[email protected]> (cherry picked from commit e905177)
Fix the following crash when pim options are (un)configured on an non-existent interface. > r1(config)# int fgljdsf > r1(config-if)# no ip pim unicast-bsm > vtysh: error reading from pimd: Connection reset by peer (104)Warning: closing connection to pimd because of an I/O error! > #0 raise (sig=<optimized out>) at ../sysdeps/unix/sysv/linux/raise.c:50 > #1 0x00007f70c8f32249 in core_handler (signo=11, siginfo=0x7fffff88e4f0, context=0x7fffff88e3c0) at lib/sigevent.c:258 > FRRouting#2 <signal handler called> > FRRouting#3 0x0000556cfdd9b16d in lib_interface_pim_address_family_unicast_bsm_modify (args=0x7fffff88f130) at pimd/pim_nb_config.c:1910 > FRRouting#4 0x00007f70c8efdcb5 in nb_callback_modify (context=0x556d00032b60, nb_node=0x556cffeeb9b0, event=NB_EV_APPLY, dnode=0x556d00031670, resource=0x556d00032b48, errmsg=0x7fffff88f710 "", errmsg_len=8192) > at lib/northbound.c:1538 > FRRouting#5 0x00007f70c8efe949 in nb_callback_configuration (context=0x556d00032b60, event=NB_EV_APPLY, change=0x556d00032b10, errmsg=0x7fffff88f710 "", errmsg_len=8192) at lib/northbound.c:1888 > FRRouting#6 0x00007f70c8efee82 in nb_transaction_process (event=NB_EV_APPLY, transaction=0x556d00032b60, errmsg=0x7fffff88f710 "", errmsg_len=8192) at lib/northbound.c:2016 > FRRouting#7 0x00007f70c8efd658 in nb_candidate_commit_apply (transaction=0x556d00032b60, save_transaction=true, transaction_id=0x0, errmsg=0x7fffff88f710 "", errmsg_len=8192) at lib/northbound.c:1356 > FRRouting#8 0x00007f70c8efd78e in nb_candidate_commit (context=..., candidate=0x556cffeb0e80, save_transaction=true, comment=0x0, transaction_id=0x0, errmsg=0x7fffff88f710 "", errmsg_len=8192) at lib/northbound.c:1389 > FRRouting#9 0x00007f70c8f03e58 in nb_cli_classic_commit (vty=0x556d00025a80) at lib/northbound_cli.c:51 > FRRouting#10 0x00007f70c8f043f8 in nb_cli_apply_changes_internal (vty=0x556d00025a80, > xpath_base=0x7fffff893bb0 "/frr-interface:lib/interface[name='fgljdsf']/frr-pim:pim/address-family[address-family='frr-routing:ipv4']", clear_pending=false) at lib/northbound_cli.c:178 > FRRouting#11 0x00007f70c8f0475d in nb_cli_apply_changes (vty=0x556d00025a80, xpath_base_fmt=0x556cfdde9fe0 "./frr-pim:pim/address-family[address-family='%s']") at lib/northbound_cli.c:234 > FRRouting#12 0x0000556cfdd8298f in pim_process_no_unicast_bsm_cmd (vty=0x556d00025a80) at pimd/pim_cmd_common.c:3493 > FRRouting#13 0x0000556cfddcf782 in no_ip_pim_ucast_bsm (self=0x556cfde40b20 <no_ip_pim_ucast_bsm_cmd>, vty=0x556d00025a80, argc=4, argv=0x556d00031500) at pimd/pim_cmd.c:4950 > FRRouting#14 0x00007f70c8e942f0 in cmd_execute_command_real (vline=0x556d00032070, vty=0x556d00025a80, cmd=0x0, up_level=0) at lib/command.c:1002 > FRRouting#15 0x00007f70c8e94451 in cmd_execute_command (vline=0x556d00032070, vty=0x556d00025a80, cmd=0x0, vtysh=0) at lib/command.c:1061 > FRRouting#16 0x00007f70c8e9499f in cmd_execute (vty=0x556d00025a80, cmd=0x556d00030320 "no ip pim unicast-bsm", matched=0x0, vtysh=0) at lib/command.c:1227 > FRRouting#17 0x00007f70c8f51e44 in vty_command (vty=0x556d00025a80, buf=0x556d00030320 "no ip pim unicast-bsm") at lib/vty.c:616 > FRRouting#18 0x00007f70c8f53bdd in vty_execute (vty=0x556d00025a80) at lib/vty.c:1379 > FRRouting#19 0x00007f70c8f55d59 in vtysh_read (thread=0x7fffff896600) at lib/vty.c:2374 > FRRouting#20 0x00007f70c8f4b209 in event_call (thread=0x7fffff896600) at lib/event.c:2011 > FRRouting#21 0x00007f70c8ed109e in frr_run (master=0x556cffdb4ea0) at lib/libfrr.c:1217 > FRRouting#22 0x0000556cfdddec12 in main (argc=2, argv=0x7fffff896828, envp=0x7fffff896840) at pimd/pim_main.c:165 > (gdb) f 3 > FRRouting#3 0x0000556cfdd9b16d in lib_interface_pim_address_family_unicast_bsm_modify (args=0x7fffff88f130) at pimd/pim_nb_config.c:1910 > 1910 pim_ifp->ucast_bsm_accept = > (gdb) list > 1905 case NB_EV_ABORT: > 1906 break; > 1907 case NB_EV_APPLY: > 1908 ifp = nb_running_get_entry(args->dnode, NULL, true); > 1909 pim_ifp = ifp->info; > 1910 pim_ifp->ucast_bsm_accept = > 1911 yang_dnode_get_bool(args->dnode, NULL); > 1912 > 1913 break; > 1914 } > (gdb) p pim_ifp > $1 = (struct pim_interface *) 0x0 Fixes: 3bb513c ("lib: adapt to version 2 of libyang") Signed-off-by: Louis Scalbert <[email protected]> (cherry picked from commit 6952bea)
When 'no rpki' is requested and the rtrlib RPKI object was freed, bgpd is crashing. RPKI is configured in VRF red. > ip l set red down > ip l del red > printf 'conf\n vrf red\n no rpki' | vtysh > Core was generated by `/usr/bin/bgpd -A 127.0.0.1 -M snmp -M rpki -M bmp'. > Program terminated with signal SIGSEGV, Segmentation fault. > #0 __pthread_kill_implementation (no_tid=0, signo=11, threadid=140411103615424) at ./nptl/pthread_kill.c:44 > 44 ./nptl/pthread_kill.c: No such file or directory. > [Current thread is 1 (Thread 0x7fb401f419c0 (LWP 190226))] > (gdb) bt > #0 __pthread_kill_implementation (no_tid=0, signo=11, threadid=140411103615424) at ./nptl/pthread_kill.c:44 > #1 __pthread_kill_internal (signo=11, threadid=140411103615424) at ./nptl/pthread_kill.c:78 > FRRouting#2 __GI___pthread_kill (threadid=140411103615424, signo=signo@entry=11) at ./nptl/pthread_kill.c:89 > FRRouting#3 0x00007fb4021ad476 in __GI_raise (sig=11) at ../sysdeps/posix/raise.c:26 > FRRouting#4 0x00007fb4025ce22b in core_handler (signo=11, siginfo=0x7fff831b2d70, context=0x7fff831b2c40) at lib/sigevent.c:248 > FRRouting#5 <signal handler called> > FRRouting#6 rtr_mgr_remove_group (config=0x55fe8789f750, preference=11) at /build/make-pkg/output/source/DIST_RTRLIB/rtrlib/rtrlib/rtr_mgr.c:607 > FRRouting#7 0x00007fb40145f518 in rpki_delete_all_cache_nodes (rpki_vrf=0x55fe8789f4f0) at bgpd/bgp_rpki.c:442 > FRRouting#8 0x00007fb401463098 in no_rpki_magic (self=0x7fb40146bba0 <no_rpki_cmd>, vty=0x55fe877f5130, argc=2, argv=0x55fe877fccd0) at bgpd/bgp_rpki.c:1732 > FRRouting#9 0x00007fb40145c09a in no_rpki (self=0x7fb40146bba0 <no_rpki_cmd>, vty=0x55fe877f5130, argc=2, argv=0x55fe877fccd0) at ./bgpd/bgp_rpki_clippy.c:37 > FRRouting#10 0x00007fb402527abc in cmd_execute_command_real (vline=0x55fe877fd150, vty=0x55fe877f5130, cmd=0x0, up_level=0) at lib/command.c:984 > FRRouting#11 0x00007fb402527c35 in cmd_execute_command (vline=0x55fe877fd150, vty=0x55fe877f5130, cmd=0x0, vtysh=0) at lib/command.c:1043 > FRRouting#12 0x00007fb4025281e5 in cmd_execute (vty=0x55fe877f5130, cmd=0x55fe877fb8c0 "no rpki\n", matched=0x0, vtysh=0) at lib/command.c:1209 > FRRouting#13 0x00007fb4025f0aed in vty_command (vty=0x55fe877f5130, buf=0x55fe877fb8c0 "no rpki\n") at lib/vty.c:615 > FRRouting#14 0x00007fb4025f2a11 in vty_execute (vty=0x55fe877f5130) at lib/vty.c:1378 > FRRouting#15 0x00007fb4025f513d in vtysh_read (thread=0x7fff831b5fa0) at lib/vty.c:2373 > FRRouting#16 0x00007fb4025e9611 in event_call (thread=0x7fff831b5fa0) at lib/event.c:2011 > FRRouting#17 0x00007fb402566976 in frr_run (master=0x55fe871a14a0) at lib/libfrr.c:1212 > FRRouting#18 0x000055fe857829fa in main (argc=9, argv=0x7fff831b6218) at bgpd/bgp_main.c:549 Fixes: 8156765 ("bgpd: Add `no rpki` command") Signed-off-by: Louis Scalbert <[email protected]> (cherry picked from commit 4e053d6) There is also an issue when doing "rpki reset" and then "no rpki". Signed-off-by: Louis Scalbert <[email protected]> (cherry picked from commit c4e4e6c)
> ==2334217==ERROR: AddressSanitizer: heap-use-after-free on address 0x61000001d0a0 at pc 0x563828c8de6f bp 0x7fffbdaee560 sp 0x7fffbdaee558 > READ of size 1 at 0x61000001d0a0 thread T0 > #0 0x563828c8de6e in prefix_sid_cmp isisd/isis_spf.c:187 > #1 0x7f84b8204f71 in hash_get lib/hash.c:142 > FRRouting#2 0x7f84b82055ec in hash_lookup lib/hash.c:184 > FRRouting#3 0x563828c8e185 in isis_spf_prefix_sid_lookup isisd/isis_spf.c:209 > FRRouting#4 0x563828c90642 in isis_spf_add2tent isisd/isis_spf.c:598 > FRRouting#5 0x563828c91cd0 in process_N isisd/isis_spf.c:824 > FRRouting#6 0x563828c93852 in isis_spf_process_lsp isisd/isis_spf.c:1041 > FRRouting#7 0x563828c98dde in isis_spf_loop isisd/isis_spf.c:1821 > FRRouting#8 0x563828c998de in isis_run_spf isisd/isis_spf.c:1983 > FRRouting#9 0x563828c99c7b in isis_run_spf_with_protection isisd/isis_spf.c:2009 > FRRouting#10 0x563828c9a60d in isis_run_spf_cb isisd/isis_spf.c:2090 > FRRouting#11 0x7f84b835c72d in event_call lib/event.c:2011 > FRRouting#12 0x7f84b8236d93 in frr_run lib/libfrr.c:1217 > FRRouting#13 0x563828c21918 in main isisd/isis_main.c:346 > FRRouting#14 0x7f84b7e4fd09 in __libc_start_main ../csu/libc-start.c:308 > FRRouting#15 0x563828c20df9 in _start (/usr/lib/frr/isisd+0xf5df9) > > 0x61000001d0a0 is located 96 bytes inside of 184-byte region [0x61000001d040,0x61000001d0f8) > freed by thread T0 here: > #0 0x7f84b88a9b6f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:123 > #1 0x7f84b8263bae in qfree lib/memory.c:130 > FRRouting#2 0x563828c8e433 in isis_vertex_del isisd/isis_spf.c:249 > FRRouting#3 0x563828c91c95 in process_N isisd/isis_spf.c:811 > FRRouting#4 0x563828c93852 in isis_spf_process_lsp isisd/isis_spf.c:1041 > FRRouting#5 0x563828c98dde in isis_spf_loop isisd/isis_spf.c:1821 > FRRouting#6 0x563828c998de in isis_run_spf isisd/isis_spf.c:1983 > FRRouting#7 0x563828c99c7b in isis_run_spf_with_protection isisd/isis_spf.c:2009 > FRRouting#8 0x563828c9a60d in isis_run_spf_cb isisd/isis_spf.c:2090 > FRRouting#9 0x7f84b835c72d in event_call lib/event.c:2011 > FRRouting#10 0x7f84b8236d93 in frr_run lib/libfrr.c:1217 > FRRouting#11 0x563828c21918 in main isisd/isis_main.c:346 > FRRouting#12 0x7f84b7e4fd09 in __libc_start_main ../csu/libc-start.c:308 > > previously allocated by thread T0 here: > #0 0x7f84b88aa037 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 > #1 0x7f84b8263a6c in qcalloc lib/memory.c:105 > FRRouting#2 0x563828c8e262 in isis_vertex_new isisd/isis_spf.c:225 > FRRouting#3 0x563828c904db in isis_spf_add2tent isisd/isis_spf.c:588 > FRRouting#4 0x563828c91cd0 in process_N isisd/isis_spf.c:824 > FRRouting#5 0x563828c93852 in isis_spf_process_lsp isisd/isis_spf.c:1041 > FRRouting#6 0x563828c98dde in isis_spf_loop isisd/isis_spf.c:1821 > FRRouting#7 0x563828c998de in isis_run_spf isisd/isis_spf.c:1983 > FRRouting#8 0x563828c99c7b in isis_run_spf_with_protection isisd/isis_spf.c:2009 > FRRouting#9 0x563828c9a60d in isis_run_spf_cb isisd/isis_spf.c:2090 > FRRouting#10 0x7f84b835c72d in event_call lib/event.c:2011 > FRRouting#11 0x7f84b8236d93 in frr_run lib/libfrr.c:1217 > FRRouting#12 0x563828c21918 in main isisd/isis_main.c:346 > FRRouting#13 0x7f84b7e4fd09 in __libc_start_main ../csu/libc-start.c:308 > > SUMMARY: AddressSanitizer: heap-use-after-free isisd/isis_spf.c:187 in prefix_sid_cmp > Shadow bytes around the buggy address: > 0x0c207fffb9c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 > 0x0c207fffb9d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa > 0x0c207fffb9e0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 > 0x0c207fffb9f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa > 0x0c207fffba00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd > =>0x0c207fffba10: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fa > 0x0c207fffba20: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 > 0x0c207fffba30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa > 0x0c207fffba40: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 > 0x0c207fffba50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa > 0x0c207fffba60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb > Shadow gap: cc > ==2334217==ABORTING Fixes: 2f7cc7b ("isisd: detect Prefix-SID collisions and handle them appropriately") Signed-off-by: Louis Scalbert <[email protected]> (cherry picked from commit e697de5)
- Addressed memory leak by removing `&c->peer_notifier` from the notifier list on termination. Retaining it caused the notifier list to stay active, preventing the deletion of `c->cur.peer` thereby causing a memory leak. - Reordered termination steps to call `vrf_terminate` before `nhrp_vc_terminate`, preventing a heap-use-after-free issue when `nhrp_vc_notify_del` is invoked in `nhrp_peer_check_delete`. - Added an if statement to avoid passing NULL as hash to `hash_release`, which leads to a SIGSEGV. The ASan leak log for reference: ``` *********************************************************************************** Address Sanitizer Error detected in nhrp_topo.test_nhrp_topo/r1.asan.nhrpd.20265 ================================================================= ==20265==ERROR: LeakSanitizer: detected memory leaks Direct leak of 112 byte(s) in 1 object(s) allocated from: #0 0x7f80270c9b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) #1 0x7f8026ac1eb8 in qmalloc lib/memory.c:100 FRRouting#2 0x560fd648f0a6 in nhrp_peer_create nhrpd/nhrp_peer.c:175 FRRouting#3 0x7f8026a88d3f in hash_get lib/hash.c:147 FRRouting#4 0x560fd6490a5d in nhrp_peer_get nhrpd/nhrp_peer.c:228 FRRouting#5 0x560fd648a51a in nhrp_nhs_resolve_cb nhrpd/nhrp_nhs.c:297 FRRouting#6 0x7f80266b000f in resolver_cb_literal lib/resolver.c:234 FRRouting#7 0x7f8026b62e0e in event_call lib/event.c:1969 FRRouting#8 0x7f8026aa5437 in frr_run lib/libfrr.c:1213 FRRouting#9 0x560fd6488b4f in main nhrpd/nhrp_main.c:166 FRRouting#10 0x7f8025eb2c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) SUMMARY: AddressSanitizer: 112 byte(s) leaked in 1 allocation(s). *********************************************************************************** *********************************************************************************** Address Sanitizer Error detected in nhrp_topo.test_nhrp_topo/r2.asan.nhrpd.20400 ================================================================= ==20400==ERROR: LeakSanitizer: detected memory leaks Direct leak of 112 byte(s) in 1 object(s) allocated from: #0 0x7fb6e3ca5b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) #1 0x7fb6e369deb8 in qmalloc lib/memory.c:100 FRRouting#2 0x562652de40a6 in nhrp_peer_create nhrpd/nhrp_peer.c:175 FRRouting#3 0x7fb6e3664d3f in hash_get lib/hash.c:147 FRRouting#4 0x562652de5a5d in nhrp_peer_get nhrpd/nhrp_peer.c:228 FRRouting#5 0x562652de1e8e in nhrp_packet_recvraw nhrpd/nhrp_packet.c:325 FRRouting#6 0x7fb6e373ee0e in event_call lib/event.c:1969 FRRouting#7 0x7fb6e3681437 in frr_run lib/libfrr.c:1213 FRRouting#8 0x562652dddb4f in main nhrpd/nhrp_main.c:166 FRRouting#9 0x7fb6e2a8ec86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) SUMMARY: AddressSanitizer: 112 byte(s) leaked in 1 allocation(s). *********************************************************************************** ``` Signed-off-by: Keelan Cannoo <[email protected]> Signed-off-by: Donatas Abraitis <[email protected]>
Memory leaks are observed in the cleanup code. When “no router bgp" is executed, cleanup in that flow for aggregate-address command is not taken care. fixes the below leak: -- ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444:Direct leak of 152 byte(s) in 1 object(s) allocated from: ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #0 0x7f163e911037 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #1 0x7f163e4b9259 in qcalloc lib/memory.c:105 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#2 0x562bf42ebbd5 in bgp_aggregate_new bgpd/bgp_route.c:7239 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#3 0x562bf42f14e8 in bgp_aggregate_set bgpd/bgp_route.c:8421 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#4 0x562bf42f1e55 in aggregate_addressv6_magic bgpd/bgp_route.c:8592 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#5 0x562bf42be3f5 in aggregate_addressv6 bgpd/bgp_route_clippy.c:341 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#6 0x7f163e3f1e1b in cmd_execute_command_real lib/command.c:988 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#7 0x7f163e3f219c in cmd_execute_command lib/command.c:1048 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#8 0x7f163e3f2df4 in cmd_execute lib/command.c:1215 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#9 0x7f163e5a2d73 in vty_command lib/vty.c:544 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#10 0x7f163e5a79c8 in vty_execute lib/vty.c:1307 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#11 0x7f163e5ad299 in vtysh_read lib/vty.c:2216 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#12 0x7f163e593f16 in event_call lib/event.c:1995 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#13 0x7f163e47c839 in frr_run lib/libfrr.c:1185 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#14 0x562bf414e58d in main bgpd/bgp_main.c:505 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#15 0x7f163de66d09 in __libc_start_main ../csu/libc-start.c:308 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444:Direct leak of 152 byte(s) in 1 object(s) allocated from: ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #0 0x7f163e911037 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- #1 0x7f163e4b9259 in qcalloc lib/memory.c:105 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#2 0x562bf42ebbd5 in bgp_aggregate_new bgpd/bgp_route.c:7239 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#3 0x562bf42f14e8 in bgp_aggregate_set bgpd/bgp_route.c:8421 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#4 0x562bf42f1cde in aggregate_addressv4_magic bgpd/bgp_route.c:8543 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#5 0x562bf42bd258 in aggregate_addressv4 bgpd/bgp_route_clippy.c:255 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#6 0x7f163e3f1e1b in cmd_execute_command_real lib/command.c:988 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#7 0x7f163e3f219c in cmd_execute_command lib/command.c:1048 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#8 0x7f163e3f2df4 in cmd_execute lib/command.c:1215 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#9 0x7f163e5a2d73 in vty_command lib/vty.c:544 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#10 0x7f163e5a79c8 in vty_execute lib/vty.c:1307 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#11 0x7f163e5ad299 in vtysh_read lib/vty.c:2216 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#12 0x7f163e593f16 in event_call lib/event.c:1995 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#13 0x7f163e47c839 in frr_run lib/libfrr.c:1185 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#14 0x562bf414e58d in main bgpd/bgp_main.c:505 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- FRRouting#15 0x7f163de66d09 in __libc_start_main ../csu/libc-start.c:308 ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444- ./bgp_local_asn_dot.test_bgp_local_asn_dot_agg/r3.bgpd.asan.3410444-SUMMARY: AddressSanitizer: 304 byte(s) leaked in 2 allocation(s). Signed-off-by: Samanvitha B Bhargav <[email protected]> (cherry picked from commit 7a70d99) Signed-off-by: Donatas Abraitis <[email protected]>
two things: On shutdown cleanup any events associated with the update walker. Also do not allow new events to be created. Fixes this mem-leak: ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790:Direct leak of 8 byte(s) in 1 object(s) allocated from: ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790- #0 0x7f0dd0b08037 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790- #1 0x7f0dd06c19f9 in qcalloc lib/memory.c:105 ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790- FRRouting#2 0x55b42fb605bc in rib_update_ctx_init zebra/zebra_rib.c:4383 ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790- FRRouting#3 0x55b42fb6088f in rib_update zebra/zebra_rib.c:4421 ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790- FRRouting#4 0x55b42fa00344 in netlink_link_change zebra/if_netlink.c:2221 ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790- FRRouting#5 0x55b42fa24622 in netlink_information_fetch zebra/kernel_netlink.c:399 ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790- FRRouting#6 0x55b42fa28c02 in netlink_parse_info zebra/kernel_netlink.c:1183 ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790- FRRouting#7 0x55b42fa24951 in kernel_read zebra/kernel_netlink.c:493 ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790- FRRouting#8 0x7f0dd0797f0c in event_call lib/event.c:1995 ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790- FRRouting#9 0x7f0dd0684fd9 in frr_run lib/libfrr.c:1185 ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790- FRRouting#10 0x55b42fa30caa in main zebra/main.c:465 ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790- FRRouting#11 0x7f0dd01b5d09 in __libc_start_main ../csu/libc-start.c:308 ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790- ./msdp_topo1.test_msdp_topo1/r2.zebra.asan.1117790-SUMMARY: AddressSanitizer: 8 byte(s) leaked in 1 allocation(s). Signed-off-by: Donald Sharp <[email protected]> (cherry picked from commit 3cd0acc) Signed-off-by: Donatas Abraitis <[email protected]>
The loading_done event needs a event pointer to prevent use after free's. Testing found this: ERROR: AddressSanitizer: heap-use-after-free on address 0x613000035130 at pc 0x55ad42d54e5f bp 0x7ffff1e942a0 sp 0x7ffff1e94290 READ of size 1 at 0x613000035130 thread T0 #0 0x55ad42d54e5e in loading_done ospf6d/ospf6_neighbor.c:447 #1 0x55ad42ed7be4 in event_call lib/event.c:1995 FRRouting#2 0x55ad42e1df75 in frr_run lib/libfrr.c:1213 FRRouting#3 0x55ad42cf332e in main ospf6d/ospf6_main.c:250 FRRouting#4 0x7f5798133c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) FRRouting#5 0x55ad42cf2b19 in _start (/usr/lib/frr/ospf6d+0x248b19) 0x613000035130 is located 48 bytes inside of 384-byte region [0x613000035100,0x613000035280) freed by thread T0 here: #0 0x7f57998d77a8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8) #1 0x55ad42e3b4b6 in qfree lib/memory.c:130 FRRouting#2 0x55ad42d5d049 in ospf6_neighbor_delete ospf6d/ospf6_neighbor.c:180 FRRouting#3 0x55ad42d1e1ea in interface_down ospf6d/ospf6_interface.c:930 FRRouting#4 0x55ad42ed7be4 in event_call lib/event.c:1995 FRRouting#5 0x55ad42ed84fe in _event_execute lib/event.c:2086 FRRouting#6 0x55ad42d26d7b in ospf6_interface_clear ospf6d/ospf6_interface.c:2847 FRRouting#7 0x55ad42d73f16 in ospf6_process_reset ospf6d/ospf6_top.c:755 FRRouting#8 0x55ad42d7e98c in clear_router_ospf6_magic ospf6d/ospf6_top.c:778 FRRouting#9 0x55ad42d7e98c in clear_router_ospf6 ospf6d/ospf6_top_clippy.c:42 FRRouting#10 0x55ad42dc2665 in cmd_execute_command_real lib/command.c:994 FRRouting#11 0x55ad42dc2b32 in cmd_execute_command lib/command.c:1053 FRRouting#12 0x55ad42dc2fa9 in cmd_execute lib/command.c:1221 FRRouting#13 0x55ad42ee3cd6 in vty_command lib/vty.c:591 FRRouting#14 0x55ad42ee4170 in vty_execute lib/vty.c:1354 FRRouting#15 0x55ad42eec94f in vtysh_read lib/vty.c:2362 FRRouting#16 0x55ad42ed7be4 in event_call lib/event.c:1995 FRRouting#17 0x55ad42e1df75 in frr_run lib/libfrr.c:1213 FRRouting#18 0x55ad42cf332e in main ospf6d/ospf6_main.c:250 FRRouting#19 0x7f5798133c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) previously allocated by thread T0 here: #0 0x7f57998d7d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x55ad42e3ab22 in qcalloc lib/memory.c:105 FRRouting#2 0x55ad42d5c8ff in ospf6_neighbor_create ospf6d/ospf6_neighbor.c:119 FRRouting#3 0x55ad42d4c86a in ospf6_hello_recv ospf6d/ospf6_message.c:464 FRRouting#4 0x55ad42d4c86a in ospf6_read_helper ospf6d/ospf6_message.c:1884 FRRouting#5 0x55ad42d4c86a in ospf6_receive ospf6d/ospf6_message.c:1925 FRRouting#6 0x55ad42ed7be4 in event_call lib/event.c:1995 FRRouting#7 0x55ad42e1df75 in frr_run lib/libfrr.c:1213 FRRouting#8 0x55ad42cf332e in main ospf6d/ospf6_main.c:250 FRRouting#9 0x7f5798133c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Add an actual event pointer and just track it appropriately. Signed-off-by: Donald Sharp <[email protected]>
> ==2334217==ERROR: AddressSanitizer: heap-use-after-free on address 0x61000001d0a0 at pc 0x563828c8de6f bp 0x7fffbdaee560 sp 0x7fffbdaee558 > READ of size 1 at 0x61000001d0a0 thread T0 > #0 0x563828c8de6e in prefix_sid_cmp isisd/isis_spf.c:187 > #1 0x7f84b8204f71 in hash_get lib/hash.c:142 > FRRouting#2 0x7f84b82055ec in hash_lookup lib/hash.c:184 > FRRouting#3 0x563828c8e185 in isis_spf_prefix_sid_lookup isisd/isis_spf.c:209 > FRRouting#4 0x563828c90642 in isis_spf_add2tent isisd/isis_spf.c:598 > FRRouting#5 0x563828c91cd0 in process_N isisd/isis_spf.c:824 > FRRouting#6 0x563828c93852 in isis_spf_process_lsp isisd/isis_spf.c:1041 > FRRouting#7 0x563828c98dde in isis_spf_loop isisd/isis_spf.c:1821 > FRRouting#8 0x563828c998de in isis_run_spf isisd/isis_spf.c:1983 > FRRouting#9 0x563828c99c7b in isis_run_spf_with_protection isisd/isis_spf.c:2009 > FRRouting#10 0x563828c9a60d in isis_run_spf_cb isisd/isis_spf.c:2090 > FRRouting#11 0x7f84b835c72d in event_call lib/event.c:2011 > FRRouting#12 0x7f84b8236d93 in frr_run lib/libfrr.c:1217 > FRRouting#13 0x563828c21918 in main isisd/isis_main.c:346 > FRRouting#14 0x7f84b7e4fd09 in __libc_start_main ../csu/libc-start.c:308 > FRRouting#15 0x563828c20df9 in _start (/usr/lib/frr/isisd+0xf5df9) > > 0x61000001d0a0 is located 96 bytes inside of 184-byte region [0x61000001d040,0x61000001d0f8) > freed by thread T0 here: > #0 0x7f84b88a9b6f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:123 > #1 0x7f84b8263bae in qfree lib/memory.c:130 > FRRouting#2 0x563828c8e433 in isis_vertex_del isisd/isis_spf.c:249 > FRRouting#3 0x563828c91c95 in process_N isisd/isis_spf.c:811 > FRRouting#4 0x563828c93852 in isis_spf_process_lsp isisd/isis_spf.c:1041 > FRRouting#5 0x563828c98dde in isis_spf_loop isisd/isis_spf.c:1821 > FRRouting#6 0x563828c998de in isis_run_spf isisd/isis_spf.c:1983 > FRRouting#7 0x563828c99c7b in isis_run_spf_with_protection isisd/isis_spf.c:2009 > FRRouting#8 0x563828c9a60d in isis_run_spf_cb isisd/isis_spf.c:2090 > FRRouting#9 0x7f84b835c72d in event_call lib/event.c:2011 > FRRouting#10 0x7f84b8236d93 in frr_run lib/libfrr.c:1217 > FRRouting#11 0x563828c21918 in main isisd/isis_main.c:346 > FRRouting#12 0x7f84b7e4fd09 in __libc_start_main ../csu/libc-start.c:308 > > previously allocated by thread T0 here: > #0 0x7f84b88aa037 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 > #1 0x7f84b8263a6c in qcalloc lib/memory.c:105 > FRRouting#2 0x563828c8e262 in isis_vertex_new isisd/isis_spf.c:225 > FRRouting#3 0x563828c904db in isis_spf_add2tent isisd/isis_spf.c:588 > FRRouting#4 0x563828c91cd0 in process_N isisd/isis_spf.c:824 > FRRouting#5 0x563828c93852 in isis_spf_process_lsp isisd/isis_spf.c:1041 > FRRouting#6 0x563828c98dde in isis_spf_loop isisd/isis_spf.c:1821 > FRRouting#7 0x563828c998de in isis_run_spf isisd/isis_spf.c:1983 > FRRouting#8 0x563828c99c7b in isis_run_spf_with_protection isisd/isis_spf.c:2009 > FRRouting#9 0x563828c9a60d in isis_run_spf_cb isisd/isis_spf.c:2090 > FRRouting#10 0x7f84b835c72d in event_call lib/event.c:2011 > FRRouting#11 0x7f84b8236d93 in frr_run lib/libfrr.c:1217 > FRRouting#12 0x563828c21918 in main isisd/isis_main.c:346 > FRRouting#13 0x7f84b7e4fd09 in __libc_start_main ../csu/libc-start.c:308 > > SUMMARY: AddressSanitizer: heap-use-after-free isisd/isis_spf.c:187 in prefix_sid_cmp > Shadow bytes around the buggy address: > 0x0c207fffb9c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 > 0x0c207fffb9d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa > 0x0c207fffb9e0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 > 0x0c207fffb9f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa > 0x0c207fffba00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd > =>0x0c207fffba10: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fa > 0x0c207fffba20: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 > 0x0c207fffba30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa > 0x0c207fffba40: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 > 0x0c207fffba50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa > 0x0c207fffba60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb > Shadow gap: cc > ==2334217==ABORTING Fixes: 2f7cc7b ("isisd: detect Prefix-SID collisions and handle them appropriately") Signed-off-by: Louis Scalbert <[email protected]> (cherry picked from commit e697de5)
- Addressed memory leak by removing `&c->peer_notifier` from the notifier list on termination. Retaining it caused the notifier list to stay active, preventing the deletion of `c->cur.peer` thereby causing a memory leak. - Reordered termination steps to call `vrf_terminate` before `nhrp_vc_terminate`, preventing a heap-use-after-free issue when `nhrp_vc_notify_del` is invoked in `nhrp_peer_check_delete`. - Added an if statement to avoid passing NULL as hash to `hash_release`, which leads to a SIGSEGV. The ASan leak log for reference: ``` *********************************************************************************** Address Sanitizer Error detected in nhrp_topo.test_nhrp_topo/r1.asan.nhrpd.20265 ================================================================= ==20265==ERROR: LeakSanitizer: detected memory leaks Direct leak of 112 byte(s) in 1 object(s) allocated from: #0 0x7f80270c9b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) #1 0x7f8026ac1eb8 in qmalloc lib/memory.c:100 FRRouting#2 0x560fd648f0a6 in nhrp_peer_create nhrpd/nhrp_peer.c:175 FRRouting#3 0x7f8026a88d3f in hash_get lib/hash.c:147 FRRouting#4 0x560fd6490a5d in nhrp_peer_get nhrpd/nhrp_peer.c:228 FRRouting#5 0x560fd648a51a in nhrp_nhs_resolve_cb nhrpd/nhrp_nhs.c:297 FRRouting#6 0x7f80266b000f in resolver_cb_literal lib/resolver.c:234 FRRouting#7 0x7f8026b62e0e in event_call lib/event.c:1969 FRRouting#8 0x7f8026aa5437 in frr_run lib/libfrr.c:1213 FRRouting#9 0x560fd6488b4f in main nhrpd/nhrp_main.c:166 FRRouting#10 0x7f8025eb2c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) SUMMARY: AddressSanitizer: 112 byte(s) leaked in 1 allocation(s). *********************************************************************************** *********************************************************************************** Address Sanitizer Error detected in nhrp_topo.test_nhrp_topo/r2.asan.nhrpd.20400 ================================================================= ==20400==ERROR: LeakSanitizer: detected memory leaks Direct leak of 112 byte(s) in 1 object(s) allocated from: #0 0x7fb6e3ca5b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) #1 0x7fb6e369deb8 in qmalloc lib/memory.c:100 FRRouting#2 0x562652de40a6 in nhrp_peer_create nhrpd/nhrp_peer.c:175 FRRouting#3 0x7fb6e3664d3f in hash_get lib/hash.c:147 FRRouting#4 0x562652de5a5d in nhrp_peer_get nhrpd/nhrp_peer.c:228 FRRouting#5 0x562652de1e8e in nhrp_packet_recvraw nhrpd/nhrp_packet.c:325 FRRouting#6 0x7fb6e373ee0e in event_call lib/event.c:1969 FRRouting#7 0x7fb6e3681437 in frr_run lib/libfrr.c:1213 FRRouting#8 0x562652dddb4f in main nhrpd/nhrp_main.c:166 FRRouting#9 0x7fb6e2a8ec86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) SUMMARY: AddressSanitizer: 112 byte(s) leaked in 1 allocation(s). *********************************************************************************** ``` Signed-off-by: Keelan Cannoo <[email protected]> Signed-off-by: Donatas Abraitis <[email protected]>
When 'no rpki' is requested and the rtrlib RPKI object was freed, bgpd is crashing. RPKI is configured in VRF red. > ip l set red down > ip l del red > printf 'conf\n vrf red\n no rpki' | vtysh > Core was generated by `/usr/bin/bgpd -A 127.0.0.1 -M snmp -M rpki -M bmp'. > Program terminated with signal SIGSEGV, Segmentation fault. > #0 __pthread_kill_implementation (no_tid=0, signo=11, threadid=140411103615424) at ./nptl/pthread_kill.c:44 > 44 ./nptl/pthread_kill.c: No such file or directory. > [Current thread is 1 (Thread 0x7fb401f419c0 (LWP 190226))] > (gdb) bt > #0 __pthread_kill_implementation (no_tid=0, signo=11, threadid=140411103615424) at ./nptl/pthread_kill.c:44 > #1 __pthread_kill_internal (signo=11, threadid=140411103615424) at ./nptl/pthread_kill.c:78 > FRRouting#2 __GI___pthread_kill (threadid=140411103615424, signo=signo@entry=11) at ./nptl/pthread_kill.c:89 > FRRouting#3 0x00007fb4021ad476 in __GI_raise (sig=11) at ../sysdeps/posix/raise.c:26 > FRRouting#4 0x00007fb4025ce22b in core_handler (signo=11, siginfo=0x7fff831b2d70, context=0x7fff831b2c40) at lib/sigevent.c:248 > FRRouting#5 <signal handler called> > FRRouting#6 rtr_mgr_remove_group (config=0x55fe8789f750, preference=11) at /build/make-pkg/output/source/DIST_RTRLIB/rtrlib/rtrlib/rtr_mgr.c:607 > FRRouting#7 0x00007fb40145f518 in rpki_delete_all_cache_nodes (rpki_vrf=0x55fe8789f4f0) at bgpd/bgp_rpki.c:442 > FRRouting#8 0x00007fb401463098 in no_rpki_magic (self=0x7fb40146bba0 <no_rpki_cmd>, vty=0x55fe877f5130, argc=2, argv=0x55fe877fccd0) at bgpd/bgp_rpki.c:1732 > FRRouting#9 0x00007fb40145c09a in no_rpki (self=0x7fb40146bba0 <no_rpki_cmd>, vty=0x55fe877f5130, argc=2, argv=0x55fe877fccd0) at ./bgpd/bgp_rpki_clippy.c:37 > FRRouting#10 0x00007fb402527abc in cmd_execute_command_real (vline=0x55fe877fd150, vty=0x55fe877f5130, cmd=0x0, up_level=0) at lib/command.c:984 > FRRouting#11 0x00007fb402527c35 in cmd_execute_command (vline=0x55fe877fd150, vty=0x55fe877f5130, cmd=0x0, vtysh=0) at lib/command.c:1043 > FRRouting#12 0x00007fb4025281e5 in cmd_execute (vty=0x55fe877f5130, cmd=0x55fe877fb8c0 "no rpki\n", matched=0x0, vtysh=0) at lib/command.c:1209 > FRRouting#13 0x00007fb4025f0aed in vty_command (vty=0x55fe877f5130, buf=0x55fe877fb8c0 "no rpki\n") at lib/vty.c:615 > FRRouting#14 0x00007fb4025f2a11 in vty_execute (vty=0x55fe877f5130) at lib/vty.c:1378 > FRRouting#15 0x00007fb4025f513d in vtysh_read (thread=0x7fff831b5fa0) at lib/vty.c:2373 > FRRouting#16 0x00007fb4025e9611 in event_call (thread=0x7fff831b5fa0) at lib/event.c:2011 > FRRouting#17 0x00007fb402566976 in frr_run (master=0x55fe871a14a0) at lib/libfrr.c:1212 > FRRouting#18 0x000055fe857829fa in main (argc=9, argv=0x7fff831b6218) at bgpd/bgp_main.c:549 Fixes: 8156765 ("bgpd: Add `no rpki` command") Signed-off-by: Louis Scalbert <[email protected]> Signed-off-by: Donatas Abraitis <[email protected]>
The following ASAN issue has been observed: > ERROR: AddressSanitizer: heap-use-after-free on address 0x6160000acba4 at pc 0x55910c5694d0 bp 0x7ffe3a8ac850 sp 0x7ffe3a8ac840 > READ of size 4 at 0x6160000acba4 thread T0 > #0 0x55910c5694cf in ctx_info_from_zns zebra/zebra_dplane.c:3315 > #1 0x55910c569696 in dplane_ctx_ns_init zebra/zebra_dplane.c:3331 > FRRouting#2 0x55910c56bf61 in dplane_ctx_nexthop_init zebra/zebra_dplane.c:3680 > FRRouting#3 0x55910c5711ca in dplane_nexthop_update_internal zebra/zebra_dplane.c:4490 > FRRouting#4 0x55910c571c5c in dplane_nexthop_delete zebra/zebra_dplane.c:4717 > FRRouting#5 0x55910c61e90e in zebra_nhg_uninstall_kernel zebra/zebra_nhg.c:3413 > FRRouting#6 0x55910c615d8a in zebra_nhg_decrement_ref zebra/zebra_nhg.c:1919 > FRRouting#7 0x55910c6404db in route_entry_update_nhe zebra/zebra_rib.c:454 > FRRouting#8 0x55910c64c904 in rib_re_nhg_free zebra/zebra_rib.c:2822 > FRRouting#9 0x55910c655be2 in rib_unlink zebra/zebra_rib.c:4212 > FRRouting#10 0x55910c6430f9 in zebra_rtable_node_cleanup zebra/zebra_rib.c:968 > FRRouting#11 0x7f26f275b8a9 in route_node_free lib/table.c:75 > FRRouting#12 0x7f26f275bae4 in route_table_free lib/table.c:111 > FRRouting#13 0x7f26f275b749 in route_table_finish lib/table.c:46 > FRRouting#14 0x55910c65db17 in zebra_router_free_table zebra/zebra_router.c:191 > FRRouting#15 0x55910c65dfb5 in zebra_router_terminate zebra/zebra_router.c:244 > FRRouting#16 0x55910c4f40db in zebra_finalize zebra/main.c:249 > FRRouting#17 0x7f26f2777108 in event_call lib/event.c:2011 > FRRouting#18 0x7f26f264180e in frr_run lib/libfrr.c:1212 > FRRouting#19 0x55910c4f49cb in main zebra/main.c:531 > FRRouting#20 0x7f26f2029d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > FRRouting#21 0x7f26f2029e3f in __libc_start_main_impl ../csu/libc-start.c:392 > FRRouting#22 0x55910c4b0114 in _start (/usr/lib/frr/zebra+0x1ae114) It happens with FRR using the kernel. During shutdown, the namespace identifier is attempted to be obtained by zebra, in an attempt to prepare zebra dataplane nexthop messages. Fix this by accessing the ns structure. Signed-off-by: Philippe Guibert <[email protected]>
Fix the display of the local label in show bgp. > r1# show bgp ipv4 labeled-unicast 172.16.2.2/32 > BGP routing table entry for 172.16.2.2/32, version 2 > Local label: 16 <---- MISSING > Paths: (1 available, best #1, table default, vrf (null)) > Advertised to non peer-group peers: > 192.168.1.2 > 65501 > 192.168.1.2 from 192.168.1.2 (172.16.2.2) > Origin IGP, metric 0, valid, external, best (First path received) > Remote label: 3 > Last update: Fri Oct 25 17:55:45 2024 Fixes: 67f67ba ("bgpd: Drop label_ntop/label_pton functions") Signed-off-by: Louis Scalbert <[email protected]>
When shutdown a LAN-type circuit, and if the current device is not the DIS (assuming it is a level-1 device), the isis_circuit_down() function will not call the isis_dr_resign() function to clear the circuit->u.bc.run_dr_elect[0] bit (this bit is set on interfaces in the isis_run_dr() function). After switching the link to a P2P type, since u.p2p and u.bc form a union, and circuit->u.bc.snpa = "\000\000\000\000\000" and circuit->u.bc.run_dr_elect = "\001", this results in circuit->u.p2p.neighbor = 0x1000000000000. Consequently, the value of adj->sysid accesses a wild pointer, causing the current crash. The backtrace is as follows: (gdb) bt #0 0x00007fbd30e55fe1 in raise () from /lib/x86_64-linux-gnu/libpthread.so.0 #1 0x00007fbd30f76b29 in core_handler (signo=11, siginfo=0x7ffc60b7a270, context=0x7ffc60b7a140) at ../lib/sigevent.c:261 FRRouting#2 <signal handler called> FRRouting#3 0x00007fbd30dddba4 in ?? () from /lib/x86_64-linux-gnu/libc.so.6 FRRouting#4 0x0000562aec46617f in isis_spf_run_lfa (area=0x562aee3a56d0, spftree=0x562aee3a51a0) at ../isisd/isis_lfa.c:2403 FRRouting#5 0x0000562aec483854 in isis_run_spf_with_protection (area=0x562aee3a56d0, spftree=0x562aee3a51a0) at ../isisd/isis_spf.c:1891 FRRouting#6 0x0000562aec483b05 in isis_run_spf_cb (thread=0x7ffc60b7b000) at ../isisd/isis_spf.c:1953 FRRouting#7 0x00007fbd30f900bb in thread_call (thread=0x7ffc60b7b000) at ../lib/thread.c:1990 FRRouting#8 0x00007fbd30f2897b in frr_run (master=0x562aee0833c0) at ../lib/libfrr.c:1198 FRRouting#9 0x0000562aec454d6d in main (argc=5, argv=0x7ffc60b7b228, envp=0x7ffc60b7b258) at ../isisd/isis_main.c:273 (gdb) f 4 FRRouting#4 0x0000562aec46617f in isis_spf_run_lfa (area=0x562aee3a56d0, spftree=0x562aee3a51a0) at ../isisd/isis_lfa.c:2403 2403 ../isisd/isis_lfa.c: No such file or directory. (gdb) p circuit->u.p2p.neighbor $1 = (struct isis_adjacency *) 0x1000000000000 (gdb) p adj->sysid Cannot access memory at address 0x1000000000006 (gdb) p circuit->u.bc $2 = {snpa = "\000\000\000\000\000", run_dr_elect = "\001", t_run_dr = {0x0, 0x0}, t_send_lan_hello = {0x0, 0x0}, adjdb = {0x0, 0x0}, lan_neighs = {0x0, 0x0}, is_dr = "\000", l1_desig_is = "\000\000\000\000\000\000", l2_desig_is = "\000\000\000\000\000\000", t_refresh_pseudo_lsp = {0x0, 0x0}} (gdb) The backtrace provided above pertains to version 8.5.4, but it seems that the same issue exists in the code of the master branch as well. Signed-off-by: baozhen-H3C <[email protected]>
There is a race condition with addpath withdrawal. The withdrawal never happens if it was request when coalesce timer running. It can be demonstrated by adding to bgp_snmp_bgp4v2mib/rr/bgpd.conf: > router bgp 65004 > + coalesce-time 10000 But it also happens in other conditions. For example, when using "vtysh -f" to load the configuration. It results in having two identical paths but with different addpath on r2: > r2# sh bgp ipv4 10.0.0.0/31 > BGP routing table entry for 10.0.0.0/31, version 3 > Paths: (3 available, best #1, table default) > 65004 > 192.168.12.4 from 192.168.12.4 (192.168.12.4) > Origin IGP, metric 1, valid, external, multipath, best (AS Path) > AddPath ID: RX 0, TX-All 2 TX-Best-Per-AS 0 TX-Best-Selected 0 > Advertised to: 192.168.12.4 > Last update: Thu Sep 12 16:13:59 2024 > 65004 > 192.168.12.4 from 192.168.12.4 (192.168.12.4) > Origin IGP, metric 1, valid, external, multipath > AddPath ID: RX 3, TX-All 4 TX-Best-Per-AS 0 TX-Best-Selected 0 > Advertised to: 192.168.12.4 > Last update: Thu Sep 12 16:13:59 2024 The first path has been created first but should be withdrawn later. Withdraw the stale addpath even the coalesce timer is running. Signed-off-by: Louis Scalbert <[email protected]>
… the neighbor status remains UP Test Scenario: RouterA and RouterB are in the same routing domain and have configured a P2P link. RouterA is configured with "is-type level-1" while RouterB is configured with "is-type level-1-2". They establish a level-1 UP neighborship. In this scenario, we expect that when RouterB's configuration is switched to "is-type level-2-only", the neighborship status on both RouterA and RouterB would be non-UP. However, RouterB still shows the neighbor as UP. Upon receiving a P2P Hello packet, the function "process_p2p_hello" is invoked. According to the ISO/IEC 10589 protocol specification, section 8.2.5.2 a) and tables 5 and 7, if the "iih->circ_type" of the neighbor's hello packet does not match one's own "circuit->is_type," we may choose to take no action. When establishing a neighborship for the first time, the neighbor's status can remain in the "Initializing" state. However, if the neighborship has already been established and one's own "circuit->is_type" changes, the neighbor's UP status cannot be reset. Therefore, when processing P2P Hello packets, we should be cognizant of changes in our own link adjacency type. Topotest has identified a core issue during testing. (gdb) bt "#0 0xb7efe579 in __kernel_vsyscall () \#1 0xb79f62f7 in ?? () \FRRouting#2 0xbf981dd0 in ?? () \FRRouting#3 <signal handler called> \FRRouting#4 0xb79f7722 in ?? () \FRRouting#5 0xb7ed8634 in _DYNAMIC () from /home/z15467/isis_core/usr/lib/i386-linux-gnu/frr/libfrr.so.0.0.0 \FRRouting#6 0x0001003c in ?? () \FRRouting#7 0x00010000 in ?? () \FRRouting#8 0xb7df3322 in _frr_mtx_lock (mutex=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>) at ../lib/frr_pthread.h:255 \FRRouting#9 event_timer_remain_msec (thread=0x10000) at ../lib/event.c:734 \FRRouting#10 event_timer_remain_msec (thread=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>) at ../lib/event.c:727 \FRRouting#11 0x004fb4aa in _send_hello_sched (circuit=<optimized out>, threadp=0x2189de0, level=1, delay=<optimized out>) at ../isisd/isis_pdu.c:2116 \FRRouting#12 0x004e8dbc in isis_circuit_up (circuit=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>) at ../isisd/isis_circuit.c:734 \FRRouting#13 0x004ea8f7 in isis_csm_state_change (event=<optimized out>, circuit=<optimized out>, arg=<optimized out>) at ../isisd/isis_csm.c:98 \FRRouting#14 0x004ea23f in isis_circuit_circ_type_set (circuit=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, circ_type=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>) at ../isisd/isis_circuit.c:1578 \FRRouting#15 0x0053aefa in lib_interface_isis_network_type_modify (args=<optimized out>) at ../isisd/isis_nb_config.c:4190 \FRRouting#16 0xb7dbcc8d in nb_callback_modify (errmsg_len=8192, errmsg=0xbf982afc "", resource=0x2186220, dnode=<optimized out>, event=NB_EV_APPLY, nb_node=0x1fafe70, context=<optimized out>) at ../lib/northbound.c:1550 \FRRouting#17 nb_callback_configuration (context=<optimized out>, event=NB_EV_APPLY, change=<optimized out>, errmsg=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, errmsg_len=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>) at ../lib/northbound.c:1900 \FRRouting#18 0xb7dbd646 in nb_transaction_process (errmsg_len=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, errmsg=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, transaction=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, event=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>) at ../lib/northbound.c:2028 \FRRouting#19 nb_candidate_commit_apply (transaction=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, save_transaction=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, transaction_id=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, errmsg=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, errmsg_len=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>) at ../lib/northbound.c:1368 \FRRouting#20 0xb7dbdd68 in nb_candidate_commit (context=..., candidate=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, save_transaction=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, comment=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, transaction_id=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, errmsg=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, errmsg_len=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>) at ../lib/northbound.c:1401 \FRRouting#21 0xb7dc0cff in nb_cli_classic_commit (vty=vty@entry=0x21d6940) at ../lib/northbound_cli.c:57 \FRRouting#22 0xb7dc0f46 in nb_cli_apply_changes_internal (vty=vty@entry=0x21d6940, xpath_base=xpath_base@entry=0xbf986b7c "/frr-interface:lib/interface[name='r5-eth0']", clear_pending=clear_pending@entry=false) at ../lib/northbound_cli.c:184 \FRRouting#23 0xb7dc130b in nb_cli_apply_changes (vty=<optimized out>, xpath_base_fmt=<optimized out>) at ../lib/northbound_cli.c:240 \FRRouting#24 0x00542c1d in isis_network_magic (self=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, argc=<optimized out>, argv=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, no=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, vty=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>) at ../isisd/isis_cli.c:3101 \FRRouting#25 isis_network (self=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, vty=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, argc=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, argv=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>) at ./isisd/isis_cli_clippy.c:5499 \FRRouting#26 0xb7d6d8f1 in cmd_execute_command_real (vline=vline@entry=0x219afa0, vty=vty@entry=0x21d6940, cmd=cmd@entry=0x0, up_level=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>) at ../lib/command.c:1003 \FRRouting#27 0xb7d6d9e0 in cmd_execute_command (vline=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, vty=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, cmd=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, vtysh=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>) at ../lib/command.c:1061 \FRRouting#28 0xb7d6dc60 in cmd_execute (vty=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, cmd=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, matched=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>, vtysh=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>) at ../lib/command.c:1228 \FRRouting#29 0xb7dfb58a in vty_command (vty=vty@entry=0x21d6940, buf=0x21e0ff0 ' ' <repeats 12 times>, "isis network point-to-point") at ../lib/vty.c:625 \FRRouting#30 0xb7dfc560 in vty_execute (vty=vty@entry=0x21d6940) at ../lib/vty.c:1388 \FRRouting#31 0xb7dfdc8d in vtysh_read (thread=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>) at ../lib/vty.c:2400 \FRRouting#32 0xb7df4d47 in event_call (thread=<error reading variable: dwarf2_find_location_expression: Corrupted DWARF expression.>) at ../lib/event.c:2019 \FRRouting#33 0xb7d9a831 in frr_run (master=<optimized out>) at ../lib/libfrr.c:1232 \FRRouting#34 0x004e4758 in main (argc=7, argv=0xbf989a24, envp=0xbf989a44) at ../isisd/isis_main.c:354 (gdb) f 9 \FRRouting#9 event_timer_remain_msec (thread=0x10000) at ../lib/event.c:734 734 ../lib/event.c: No such file or directory. (gdb) p pthread No symbol "pthread" in current context. (gdb) p thread $1 = (struct event *) 0x10000 When LAN links and P2P links share the` circuit->u` of a neighbor, if one link is no longer in use and the union is not cleared, the other link is unable to pass the non-empty check, resulting in accessing an invalid pointer. Unfortunately, for non-DIS devices in LAN links, `circuit->u.bc.run_dr_elect[x]` is essentially always 1, but in `isis_circuit_down()`,` circuit->u.bc.run_dr_elect[x] `will not be cleared because `circuit->u.bc.is_dr[x]` is always 0. Consequently, when switching to a P2P link, `isis_circuit_circ_type_set()` does not reset the link in a non-C_STATE_UP state, leading to subsequent accesses of `circuit->u.p2p.t_send_p2p_hello` resulting in a non-empty yet invalid address. I believe that in `isis_circuit_down()`, the LAN link should unconditionally clear `circuit->u.bc.run_dr_elect[x]`. Signed-off-by: zhou-run <[email protected]>
When receiving an SRv6 BGP update, the nexthop tracking is used to find out the reachability of the BGP update. > # show bgp ipv6 vpn fd00:200::/64 > Paths: (1 available, best #1) > [..] > 4:4::4:4 from 4:4::4:4 (4.4.4.4) > Origin incomplete, metric 0, localpref 100, valid, internal, best (First path received) > Extended Community: RT:52:100 > Remote label: 16 > Remote SID: 2001:db8:f4:: > Last update: Mon Mar 11 11:50:04 2024 The IPv6 address used is the "Remote SID". Actually, this value is incomplete. Remote SID stands for the attribute value received in BGP, while the label value determines a complement of SRv6 SID value. The transposition technique authorises that in BGP, and in the above case, the incoming BGP update has used the transposition length. When there is a transposition in the SID attribute available, use the real SID address. The nexthop tracking will use that forged address. > # show bgp nexthop > Current BGP nexthop cache: > 4:4::4:4 valid [IGP metric 30], #paths 0, peer 4:4::4:4 > gate fe80::dced:1ff:fed6:878c, if ntfp3 > Last update: Mon Mar 11 11:50:02 2024 > 2001:db8:f4:1:: valid [IGP metric 0], #paths 2 > gate fe80::dced:1ff:fed6:878c, if ntfp3 Fixes: 26c747e ("bgpd: extend make_prefix to form srv6-based prefix") Signed-off-by: Philippe Guibert <[email protected]>
…utes detail` If we have a route-map that sets some attributes e.g. community or large-community, and the route-map is applied for outgoing direction, everything is fine, but we missed the point that `advertised-routes detail` was not using the applied attributes to display and instead it uses what is received from the peer (original). Let's fix this, and use what's already applied (advertise attributes), and we can now see: ``` route-map r3 permit 10 match ip address prefix-list p1 set community 65001:65002 set extcommunity bandwidth 100 set large-community 65001:65002:65003 exit ! ... address-family ipv4 unicast neighbor 192.168.2.3 route-map r3 out exit-address-family ... ``` The output: ``` r2# show bgp ipv4 neighbors 192.168.2.3 advertised-routes detail BGP table version is 1, local router ID is 192.168.2.2, vrf id 0 Default local pref 100, local AS 65002 BGP routing table entry for 10.10.10.1/32, version 1 Paths: (1 available, best #1, table default) Advertised to non peer-group peers: 192.168.1.1 192.168.2.3 65001 0.0.0.0 from 192.168.1.1 (192.168.1.1) Origin IGP, valid, external, best (First path received) Community: 65001:65002 Extended Community: LB:65002:12500000 (100.000 Mbps) Large Community: 65001:65002:65003 Last update: Thu Dec 19 17:00:40 2024 ``` Signed-off-by: Donatas Abraitis <[email protected]>
bgpd: Add support for BGP vrf route copying
Example configuration:
router bgp 100 vrf vrf-1
address-family ipv4 unicast
rd vpn export 1:1
rt vpn both 1:1
export vpn
import vpn
redistribute vrf vrf-2
exit-address-family
!
!
router bgp 100 vrf vrf-2
neighbor 2.2.2.2 remote-as 1
address-family ipv4 unicast
rd vpn export 2:2
rt vpn both 2:2
neighbor 2.2.2.2 activate
exit-address-family
!
BGP routes learned from the neighbor 2.2.2.2 under VRF-1 can be directly copied to the BGP under VRF-1 without carrying the RD and RT attributes of VRF-1. After being copied to VRF-1, the routes will be sent to VPN with the RD 1:1 and RT 1:1 attributes, forming BGP-VPN routes.