Skip to content

all: use ->text when parsing protocol argument #10

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
donaldsharp merged 2 commits into from
Jan 7, 2017
Merged

all: use ->text when parsing protocol argument #10

donaldsharp merged 2 commits into from
Jan 7, 2017

Conversation

@qlyoung
Copy link
Member

@qlyoung qlyoung commented Dec 16, 2016

and match on full protocol name in proto_redistnum()

Signed-off-by: Quentin Young qlyoung@cumulusnetworks.com

Fixes #9

@qlyoung
all: use ->text when parsing protocol argument
6d681bd 
and match on full protocol name in proto_redistnum()

Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>
@donaldsharp donaldsharp merged commit 3324ef9 into FRRouting:master Jan 7, 2017
@NetDEF-CI
Copy link
Collaborator

NetDEF-CI commented Jan 7, 2017

Continous Integration Result: FAILED

See below for issues.
CI System Testrun URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-23/

This is a comment from an EXPERIMENTAL automated CI system.
For questions and feedback in regards to this CI system, please feel free to email
Martin Winter - mwinter (at) opensourcerouting.org.

Get source and apply patch from patchwork: Successful

Building Stage: Failed

Fedora24 amd64 build: Successful
FreeBSD11 amd64 build: Successful
NetBSD7 amd64 build: Successful
Ubuntu1604 amd64 build: Successful
NetBSD6 amd64 build: Successful
CentOS7 amd64 build: Successful
Debian8 amd64 build: Successful
FreeBSD9 amd64 build: Successful
Ubuntu1404 amd64 build: Successful
OmniOS amd64 build: Successful
OpenBSD60 amd64 build: Successful

CentOS6 amd64 build: Failed

CentOS6 amd64 build: Unknown Log <log_configure.txt>
URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-23/artifact/CI006BUILD/ErrorLog/log_configure.txt
CentOS6 amd64 build: Unknown Log <config.log>
URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-23/artifact/CI006BUILD/config.log/config.log
CentOS6 amd64 build: No useful log found

FreeBSD10 amd64 build: Failed

DejaGNU Unittests (make check) failed for FreeBSD10 amd64 build
see DejaGNU log at /browse/FRR-FRRPULLREQ-23/artifact/CI003BUILD/ErrorLog/log_dejagnu.txt
FreeBSD10 amd64 build: Unknown Log <config.status>
URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-23/artifact/CI003BUILD/config.status/config.status

Ubuntu1204 amd64 build: Failed

Ubuntu1204 amd64 build: Unknown Log <log_configure.txt>
URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-23/artifact/CI002BUILD/ErrorLog/log_configure.txt
Ubuntu1204 amd64 build: Unknown Log <config.log>
URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-23/artifact/CI002BUILD/config.log/config.log
Ubuntu1204 amd64 build: No useful log found

@NetDEF-CI
Copy link
Collaborator

NetDEF-CI commented Jan 7, 2017

Continous Integration Result: SUCCESSFUL

Congratulations, this patch passed basic tests

Tested-by: NetDEF / OpenSourceRouting.org CI System

CI System Testrun URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-23/

This is a comment from an EXPERIMENTAL automated CI system.
For questions and feedback in regards to this CI system, please feel free to email
Martin Winter - mwinter (at) opensourcerouting.org.

@qlyoung qlyoung deleted the fix-proto_redistnum branch January 10, 2017 23:13
@dslicenc dslicenc mentioned this pull request Feb 6, 2017
Closed
qlyoung added a commit to qlyoung/frr that referenced this pull request Apr 2, 2017
@qlyoung
lib: fix proto_redistnum() oversight from FRRouting#257
f257ff2 
proto_redistnum() now accepts full protocol strings and not partial
names per FRRouting#10

Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>
@qlyoung qlyoung mentioned this pull request Apr 2, 2017
Merged
@anithanarasimhamurthy anithanarasimhamurthy mentioned this pull request May 17, 2017
Closed
@pguibert6WIND pguibert6WIND mentioned this pull request Jul 17, 2017
Closed
This was referenced Sep 5, 2017
Closed
Closed
@louberger louberger mentioned this pull request Dec 13, 2017
Merged
This was referenced May 14, 2018
Closed
Closed
Closed
@nuqleo nuqleo mentioned this pull request Jun 16, 2018
Closed
@louberger louberger mentioned this pull request Aug 27, 2018
Merged
@srimohans srimohans mentioned this pull request Sep 11, 2018
Closed
@donaldsharp donaldsharp mentioned this pull request Sep 21, 2018
Closed
@mdash-vmware mdash-vmware mentioned this pull request Oct 8, 2018
Closed
@donaldsharp donaldsharp mentioned this pull request Oct 30, 2018
Closed
@karamalla0406 karamalla0406 mentioned this pull request Nov 14, 2018
Closed
@vijaykug vijaykug mentioned this pull request Nov 16, 2018
Closed
@jasonlittledragon jasonlittledragon mentioned this pull request Jan 28, 2019
Closed
rwestphal referenced this pull request in opensourcerouting/frr Feb 21, 2019
@rwestphal
bgpd: fix null pointer dereference bug
aa6476d 
If path->net is NULL in the bgp_path_info_free() function, then
bgpd would crash in bgp_addpath_free_info_data() with the following
backtrace:

 (gdb) bt
 #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
 #1  0x00007ff7b267a42a in __GI_abort () at abort.c:89
 #2  0x00007ff7b39c1ca0 in core_handler (signo=11, siginfo=0x7ffff66414f0, context=<optimized out>) at lib/sigevent.c:249
 #3  <signal handler called>
 #4  idalloc_free_to_pool (pool_ptr=pool_ptr@entry=0x0, id=3) at lib/id_alloc.c:368
 #5  0x0000560096246688 in bgp_addpath_free_info_data (d=d@entry=0x560098665468, nd=0x0) at bgpd/bgp_addpath.c:100
 #6  0x00005600961bb522 in bgp_path_info_free (path=0x560098665400) at bgpd/bgp_route.c:252
 #7  bgp_path_info_unlock (path=0x560098665400) at bgpd/bgp_route.c:276
 #8  0x00005600961bb719 in bgp_path_info_reap (rn=rn@entry=0x5600986b2110, pi=pi@entry=0x560098665400) at bgpd/bgp_route.c:320
 #9  0x00005600961bf4db in bgp_process_main_one (safi=SAFI_MPLS_VPN, afi=AFI_IP, rn=0x5600986b2110, bgp=0x560098587320) at bgpd/bgp_route.c:2476
 #10 bgp_process_wq (wq=<optimized out>, data=0x56009869b8f0) at bgpd/bgp_route.c:2503
 #11 0x00007ff7b39d5fcc in work_queue_run (thread=0x7ffff6641e10) at lib/workqueue.c:294
 #12 0x00007ff7b39ce3b1 in thread_call (thread=thread@entry=0x7ffff6641e10) at lib/thread.c:1606
 #13 0x00007ff7b39a3538 in frr_run (master=0x5600980795b0) at lib/libfrr.c:1011
 #14 0x000056009618a5a3 in main (argc=3, argv=0x7ffff6642078) at bgpd/bgp_main.c:481

Add a null-check protection to fix this problem.

Signed-off-by: Renato Westphal <renato@opensourcerouting.org>
pguibert6WIND pushed a commit to pguibert6WIND/frr that referenced this pull request Sep 11, 2025
@pguibert6WIND
bgpd: fix srv6 align the sid_func with wlib array boundaries
f7afdcc 
The topotest bgp_srv6_sid_explicit generates the crash dump:

ERROR: SEGV on unknown address 0x5110002dba30 (pc 0x55a58a813379 bp 0x7ffd2cc8ec50 sp 0x7ffd2cc8ec00 T0)
The signal is caused by a READ memory access.
    #0 0x55a58a813379 in alloc_srv6_sid_func_explicit zebra/zebra_srv6.c:1264
    FRRouting#1 0x55a58a815138 in get_srv6_sid_explicit zebra/zebra_srv6.c:1611
    FRRouting#2 0x55a58a8166bb in get_srv6_sid zebra/zebra_srv6.c:1807
    FRRouting#3 0x55a58a8191ef in srv6_manager_get_sid_internal zebra/zebra_srv6.c:2314
    FRRouting#4 0x55a58a80c0aa in hook_call_srv6_manager_get_sid zebra/zebra_srv6.c:67
    FRRouting#5 0x55a58a80c671 in srv6_manager_get_sid_call zebra/zebra_srv6.c:115
    FRRouting#6 0x55a58a78e956 in zread_srv6_manager_get_srv6_sid zebra/zapi_msg.c:3245
    FRRouting#7 0x55a58a78f1d8 in zread_srv6_manager_request zebra/zapi_msg.c:3313
    FRRouting#8 0x55a58a799321 in zserv_handle_commands zebra/zapi_msg.c:4425
    FRRouting#9 0x55a58a92473c in zserv_process_messages zebra/zserv.c:521
    FRRouting#10 0x781c0f978970 in event_call lib/event.c:2011
    FRRouting#11 0x781c0f843d11 in frr_run lib/libfrr.c:1219
    FRRouting#12 0x55a58a73079d in main zebra/main.c:550
    FRRouting#13 0x781c0f22a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    FRRouting#14 0x781c0f22a28a in __libc_start_main_impl ../csu/libc-start.c:360
    FRRouting#15 0x55a58a6ec2b4 in _start (/usr/lib/frr/zebra+0x1d02b4)

Fixes: 4e4588fa8f ("zebra: Add functions to alloc/release SRv6 SIDs")

Signed-off-by: Dmytro Shytyi <dmytro.shytyi@6wind.com>
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
pguibert6WIND added a commit to pguibert6WIND/frr that referenced this pull request Sep 11, 2025
@pguibert6WIND
bgpd: fix crash when reconfiguring func-bits value in locator
c52e6a4 
The following crash happens on a BGP setup with SRv6 used, when locator
is updated with the func-bits value moving from 32 bits to 16 bits.

> FRRouting#6  0x000061582b486b5c in memcpy (__len=<optimized out>, __src=<optimized out>, __dest=<optimized out>)
>     at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
> FRRouting#7  vpn_leak_from_vrf_update (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040,
>     path_vrf=path_vrf@entry=0x6158364ef110) at bgpd/bgp_mplsvpn.c:2010
> FRRouting#8  0x000061582b48758b in vpn_leak_from_vrf_update_all (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040,
>     afi=<optimized out>) at bgpd/bgp_mplsvpn.c:2215
> FRRouting#9  0x000061582b48774d in vpn_leak_postchange (afi=afi@entry=AFI_IP, bgp_vpn=bgp_vpn@entry=0x6158364a0340,
>     bgp_vrf=bgp_vrf@entry=0x6158364c1040, direction=BGP_VPN_POLICY_DIR_TOVPN) at ./bgpd/bgp_mplsvpn.h:313
> FRRouting#10 0x000061582b489b4b in vpn_leak_postchange (bgp_vrf=0x6158364c1040, bgp_vpn=0x6158364a0340, afi=AFI_IP, direction=BGP_VPN_POLICY_DIR_TOVPN)
>     at ./bgpd/bgp_mplsvpn.h:273
> FRRouting#11 vpn_leak_postchange_all () at bgpd/bgp_mplsvpn.c:3978
> FRRouting#12 0x000061582b5219d5 in bgp_zebra_process_srv6_locator_delete (cmd=<optimized out>, zclient=<optimized out>, length=<optimized out>,
>     vrf_id=<optimized out>) at bgpd/bgp_zebra.c:3874
> FRRouting#13 0x0000766887b391ee in zclient_read (thread=<optimized out>) at lib/zclient.c:4804
> FRRouting#14 0x0000766887b2245e in event_call (thread=thread@entry=0x7ffc86531a30) at lib/event.c:2005
> FRRouting#15 0x0000766887ac2ed8 in frr_run (loop=0x615835c46fd0) at lib/libfrr.c:1252
> FRRouting#16 0x000061582b428163 in main (argc=<optimized out>, argv=0x7ffc86531cf8) at bgpd/bgp_main.c:565
> (gdb)
>

Actually, the SID allocated has been freed after the locator deleted
event. Protect this part of code by checking the availability of the
sid pointer.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
pguibert6WIND pushed a commit to pguibert6WIND/frr that referenced this pull request Sep 11, 2025
@pguibert6WIND
bgpd: fix srv6 align the sid_func with wlib array boundaries
7f33f53 
The topotest bgp_srv6_sid_explicit generates the crash dump:

ERROR: SEGV on unknown address 0x5110002dba30 (pc 0x55a58a813379 bp 0x7ffd2cc8ec50 sp 0x7ffd2cc8ec00 T0)
The signal is caused by a READ memory access.
    #0 0x55a58a813379 in alloc_srv6_sid_func_explicit zebra/zebra_srv6.c:1264
    FRRouting#1 0x55a58a815138 in get_srv6_sid_explicit zebra/zebra_srv6.c:1611
    FRRouting#2 0x55a58a8166bb in get_srv6_sid zebra/zebra_srv6.c:1807
    FRRouting#3 0x55a58a8191ef in srv6_manager_get_sid_internal zebra/zebra_srv6.c:2314
    FRRouting#4 0x55a58a80c0aa in hook_call_srv6_manager_get_sid zebra/zebra_srv6.c:67
    FRRouting#5 0x55a58a80c671 in srv6_manager_get_sid_call zebra/zebra_srv6.c:115
    FRRouting#6 0x55a58a78e956 in zread_srv6_manager_get_srv6_sid zebra/zapi_msg.c:3245
    FRRouting#7 0x55a58a78f1d8 in zread_srv6_manager_request zebra/zapi_msg.c:3313
    FRRouting#8 0x55a58a799321 in zserv_handle_commands zebra/zapi_msg.c:4425
    FRRouting#9 0x55a58a92473c in zserv_process_messages zebra/zserv.c:521
    FRRouting#10 0x781c0f978970 in event_call lib/event.c:2011
    FRRouting#11 0x781c0f843d11 in frr_run lib/libfrr.c:1219
    FRRouting#12 0x55a58a73079d in main zebra/main.c:550
    FRRouting#13 0x781c0f22a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    FRRouting#14 0x781c0f22a28a in __libc_start_main_impl ../csu/libc-start.c:360
    FRRouting#15 0x55a58a6ec2b4 in _start (/usr/lib/frr/zebra+0x1d02b4)

Fixes: 4e4588fa8f ("zebra: Add functions to alloc/release SRv6 SIDs")

Signed-off-by: Dmytro Shytyi <dmytro.shytyi@6wind.com>
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
pguibert6WIND added a commit to pguibert6WIND/frr that referenced this pull request Sep 22, 2025
@pguibert6WIND
bgpd: fix crash when reconfiguring func-bits value in locator
67f9abe 
The following crash happens on a BGP setup with SRv6 used, when locator
is updated with the func-bits value moving from 32 bits to 16 bits.

> FRRouting#6  0x000061582b486b5c in memcpy (__len=<optimized out>, __src=<optimized out>, __dest=<optimized out>)
>     at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
> FRRouting#7  vpn_leak_from_vrf_update (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040,
>     path_vrf=path_vrf@entry=0x6158364ef110) at bgpd/bgp_mplsvpn.c:2010
> FRRouting#8  0x000061582b48758b in vpn_leak_from_vrf_update_all (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040,
>     afi=<optimized out>) at bgpd/bgp_mplsvpn.c:2215
> FRRouting#9  0x000061582b48774d in vpn_leak_postchange (afi=afi@entry=AFI_IP, bgp_vpn=bgp_vpn@entry=0x6158364a0340,
>     bgp_vrf=bgp_vrf@entry=0x6158364c1040, direction=BGP_VPN_POLICY_DIR_TOVPN) at ./bgpd/bgp_mplsvpn.h:313
> FRRouting#10 0x000061582b489b4b in vpn_leak_postchange (bgp_vrf=0x6158364c1040, bgp_vpn=0x6158364a0340, afi=AFI_IP, direction=BGP_VPN_POLICY_DIR_TOVPN)
>     at ./bgpd/bgp_mplsvpn.h:273
> FRRouting#11 vpn_leak_postchange_all () at bgpd/bgp_mplsvpn.c:3978
> FRRouting#12 0x000061582b5219d5 in bgp_zebra_process_srv6_locator_delete (cmd=<optimized out>, zclient=<optimized out>, length=<optimized out>,
>     vrf_id=<optimized out>) at bgpd/bgp_zebra.c:3874
> FRRouting#13 0x0000766887b391ee in zclient_read (thread=<optimized out>) at lib/zclient.c:4804
> FRRouting#14 0x0000766887b2245e in event_call (thread=thread@entry=0x7ffc86531a30) at lib/event.c:2005
> FRRouting#15 0x0000766887ac2ed8 in frr_run (loop=0x615835c46fd0) at lib/libfrr.c:1252
> FRRouting#16 0x000061582b428163 in main (argc=<optimized out>, argv=0x7ffc86531cf8) at bgpd/bgp_main.c:565
> (gdb)
>

Actually, the SID allocated has been freed after the locator deleted
event. Protect this part of code by checking the availability of the
sid pointer.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
pguibert6WIND pushed a commit to pguibert6WIND/frr that referenced this pull request Sep 22, 2025
@pguibert6WIND
bgpd: fix srv6 align the sid_func with wlib array boundaries
8975ebc 
The topotest bgp_srv6_sid_explicit generates the crash dump:

ERROR: SEGV on unknown address 0x5110002dba30 (pc 0x55a58a813379 bp 0x7ffd2cc8ec50 sp 0x7ffd2cc8ec00 T0)
The signal is caused by a READ memory access.
    #0 0x55a58a813379 in alloc_srv6_sid_func_explicit zebra/zebra_srv6.c:1264
    FRRouting#1 0x55a58a815138 in get_srv6_sid_explicit zebra/zebra_srv6.c:1611
    FRRouting#2 0x55a58a8166bb in get_srv6_sid zebra/zebra_srv6.c:1807
    FRRouting#3 0x55a58a8191ef in srv6_manager_get_sid_internal zebra/zebra_srv6.c:2314
    FRRouting#4 0x55a58a80c0aa in hook_call_srv6_manager_get_sid zebra/zebra_srv6.c:67
    FRRouting#5 0x55a58a80c671 in srv6_manager_get_sid_call zebra/zebra_srv6.c:115
    FRRouting#6 0x55a58a78e956 in zread_srv6_manager_get_srv6_sid zebra/zapi_msg.c:3245
    FRRouting#7 0x55a58a78f1d8 in zread_srv6_manager_request zebra/zapi_msg.c:3313
    FRRouting#8 0x55a58a799321 in zserv_handle_commands zebra/zapi_msg.c:4425
    FRRouting#9 0x55a58a92473c in zserv_process_messages zebra/zserv.c:521
    FRRouting#10 0x781c0f978970 in event_call lib/event.c:2011
    FRRouting#11 0x781c0f843d11 in frr_run lib/libfrr.c:1219
    FRRouting#12 0x55a58a73079d in main zebra/main.c:550
    FRRouting#13 0x781c0f22a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    FRRouting#14 0x781c0f22a28a in __libc_start_main_impl ../csu/libc-start.c:360
    FRRouting#15 0x55a58a6ec2b4 in _start (/usr/lib/frr/zebra+0x1d02b4)

Fixes: 4e4588fa8f ("zebra: Add functions to alloc/release SRv6 SIDs")

Signed-off-by: Dmytro Shytyi <dmytro.shytyi@6wind.com>
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
donaldsharp pushed a commit that referenced this pull request Sep 30, 2025
@ton31337
Revert "bgpd: Free up leaked bpme on release"
4c791a6 
bgp_flowspec.test_bgp_flowspec_topo started to fail (crash) after this.

Let's revert it for now.

It's freed a bit above already:

	hash_release(bpm->entry_hash, bpme);
	bgp_pbr_match_entry_free(bpme);

    ERROR: AddressSanitizer: attempting to call malloc_usable_size() for pointer which is not owned: 0x60e00009f8a0
        #0 0x7f27d6cb7f04 in __interceptor_malloc_usable_size ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:119
        #1 0x7f27d6c264f6 in __sanitizer::BufferedStackTrace::Unwind(unsigned long, unsigned long, void*, bool, unsigned int) ../../../../src/libsanitizer/sanitizer_common/sanitizer_stacktrace.h:131
        #2 0x7f27d6c264f6 in __asan::asan_malloc_usable_size(void const*, unsigned long, unsigned long) ../../../../src/libsanitizer/asan/asan_allocator.cpp:1058
        #3 0x7f27d68254df in mt_count_free lib/memory.c:83
        #4 0x7f27d68254df in qfree lib/memory.c:135
        #5 0x5637d57b04a2 in bgp_pbr_match_entry_free bgpd/bgp_pbr.c:977
        #6 0x5637d57b04a2 in bgp_pbr_flush_entry bgpd/bgp_pbr.c:1737
        #7 0x5637d57b40be in bgp_pbr_policyroute_remove_from_zebra_unit bgpd/bgp_pbr.c:1980
        #8 0x5637d57bb7c0 in bgp_pbr_policyroute_remove_from_zebra bgpd/bgp_pbr.c:2144
        #9 0x5637d57bb7c0 in bgp_pbr_handle_entry bgpd/bgp_pbr.c:2781
        #10 0x5637d57bb7c0 in bgp_pbr_update_entry bgpd/bgp_pbr.c:2905
        #11 0x5637d58d23e1 in bgp_zebra_withdraw_actual bgpd/bgp_zebra.c:1733
        #12 0x5637d57ccc9e in bgp_cleanup_table bgpd/bgp_route.c:7300
        #13 0x5637d57e27d2 in bgp_cleanup_routes bgpd/bgp_route.c:7318
        #14 0x5637d5911b91 in bgp_delete bgpd/bgpd.c:4370
        #15 0x5637d56961b4 in bgp_exit bgpd/bgp_main.c:212
        #16 0x5637d56961b4 in sigint bgpd/bgp_main.c:162
        #17 0x7f27d68af501 in frr_sigevent_process lib/sigevent.c:117
        #18 0x7f27d68db77a in event_fetch lib/event.c:1742
        #19 0x7f27d68027e4 in frr_run lib/libfrr.c:1251
        #20 0x5637d5697c55 in main bgpd/bgp_main.c:569
        #21 0x7f27d630c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #22 0x7f27d630c304 in __libc_start_main_impl ../csu/libc-start.c:360
        #23 0x5637d5695ac0 in _start (/usr/lib/frr/bgpd+0x2cfac0)

    0x60e00009f8a0 is located 0 bytes inside of 160-byte region [0x60e00009f8a0,0x60e00009f940)
    freed by thread T0 here:
        #0 0x7f27d6cb76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
        #1 0x7f27d6825500 in qfree lib/memory.c:136
        #2 0x5637d57b0366 in bgp_pbr_match_entry_free bgpd/bgp_pbr.c:977
        #3 0x5637d57b0366 in bgp_pbr_flush_entry bgpd/bgp_pbr.c:1715
        #4 0x5637d57b40be in bgp_pbr_policyroute_remove_from_zebra_unit bgpd/bgp_pbr.c:1980
        #5 0x5637d57bb7c0 in bgp_pbr_policyroute_remove_from_zebra bgpd/bgp_pbr.c:2144
        #6 0x5637d57bb7c0 in bgp_pbr_handle_entry bgpd/bgp_pbr.c:2781
        #7 0x5637d57bb7c0 in bgp_pbr_update_entry bgpd/bgp_pbr.c:2905
        #8 0x5637d58d23e1 in bgp_zebra_withdraw_actual bgpd/bgp_zebra.c:1733
        #9 0x5637d57ccc9e in bgp_cleanup_table bgpd/bgp_route.c:7300
        #10 0x5637d57e27d2 in bgp_cleanup_routes bgpd/bgp_route.c:7318
        #11 0x5637d5911b91 in bgp_delete bgpd/bgpd.c:4370
        #12 0x5637d56961b4 in bgp_exit bgpd/bgp_main.c:212
        #13 0x5637d56961b4 in sigint bgpd/bgp_main.c:162
        #14 0x7f27d68af501 in frr_sigevent_process lib/sigevent.c:117
        #15 0x7f27d68db77a in event_fetch lib/event.c:1742
        #16 0x7f27d68027e4 in frr_run lib/libfrr.c:1251
        #17 0x5637d5697c55 in main bgpd/bgp_main.c:569
        #18 0x7f27d630c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

This reverts commit d0df550.

Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
pguibert6WIND added a commit to pguibert6WIND/frr that referenced this pull request Oct 1, 2025
@pguibert6WIND
bgpd: fix crash when reconfiguring func-bits value in locator
33eb56e 
The following crash happens on a BGP setup with SRv6 used, when locator
is updated with the func-bits value moving from 32 bits to 16 bits.

> FRRouting#6  0x000061582b486b5c in memcpy (__len=<optimized out>, __src=<optimized out>, __dest=<optimized out>)
>     at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
> FRRouting#7  vpn_leak_from_vrf_update (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040,
>     path_vrf=path_vrf@entry=0x6158364ef110) at bgpd/bgp_mplsvpn.c:2010
> FRRouting#8  0x000061582b48758b in vpn_leak_from_vrf_update_all (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040,
>     afi=<optimized out>) at bgpd/bgp_mplsvpn.c:2215
> FRRouting#9  0x000061582b48774d in vpn_leak_postchange (afi=afi@entry=AFI_IP, bgp_vpn=bgp_vpn@entry=0x6158364a0340,
>     bgp_vrf=bgp_vrf@entry=0x6158364c1040, direction=BGP_VPN_POLICY_DIR_TOVPN) at ./bgpd/bgp_mplsvpn.h:313
> FRRouting#10 0x000061582b489b4b in vpn_leak_postchange (bgp_vrf=0x6158364c1040, bgp_vpn=0x6158364a0340, afi=AFI_IP, direction=BGP_VPN_POLICY_DIR_TOVPN)
>     at ./bgpd/bgp_mplsvpn.h:273
> FRRouting#11 vpn_leak_postchange_all () at bgpd/bgp_mplsvpn.c:3978
> FRRouting#12 0x000061582b5219d5 in bgp_zebra_process_srv6_locator_delete (cmd=<optimized out>, zclient=<optimized out>, length=<optimized out>,
>     vrf_id=<optimized out>) at bgpd/bgp_zebra.c:3874
> FRRouting#13 0x0000766887b391ee in zclient_read (thread=<optimized out>) at lib/zclient.c:4804
> FRRouting#14 0x0000766887b2245e in event_call (thread=thread@entry=0x7ffc86531a30) at lib/event.c:2005
> FRRouting#15 0x0000766887ac2ed8 in frr_run (loop=0x615835c46fd0) at lib/libfrr.c:1252
> FRRouting#16 0x000061582b428163 in main (argc=<optimized out>, argv=0x7ffc86531cf8) at bgpd/bgp_main.c:565
> (gdb)
>

Actually, the SID allocated has been freed after the locator deleted
event. Protect this part of code by checking the availability of the
sid pointer.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
pguibert6WIND pushed a commit to pguibert6WIND/frr that referenced this pull request Oct 1, 2025
@pguibert6WIND
bgpd: fix srv6 align the sid_func with wlib array boundaries
f2cdfa2 
The topotest bgp_srv6_sid_explicit generates the crash dump:

ERROR: SEGV on unknown address 0x5110002dba30 (pc 0x55a58a813379 bp 0x7ffd2cc8ec50 sp 0x7ffd2cc8ec00 T0)
The signal is caused by a READ memory access.
    #0 0x55a58a813379 in alloc_srv6_sid_func_explicit zebra/zebra_srv6.c:1264
    FRRouting#1 0x55a58a815138 in get_srv6_sid_explicit zebra/zebra_srv6.c:1611
    FRRouting#2 0x55a58a8166bb in get_srv6_sid zebra/zebra_srv6.c:1807
    FRRouting#3 0x55a58a8191ef in srv6_manager_get_sid_internal zebra/zebra_srv6.c:2314
    FRRouting#4 0x55a58a80c0aa in hook_call_srv6_manager_get_sid zebra/zebra_srv6.c:67
    FRRouting#5 0x55a58a80c671 in srv6_manager_get_sid_call zebra/zebra_srv6.c:115
    FRRouting#6 0x55a58a78e956 in zread_srv6_manager_get_srv6_sid zebra/zapi_msg.c:3245
    FRRouting#7 0x55a58a78f1d8 in zread_srv6_manager_request zebra/zapi_msg.c:3313
    FRRouting#8 0x55a58a799321 in zserv_handle_commands zebra/zapi_msg.c:4425
    FRRouting#9 0x55a58a92473c in zserv_process_messages zebra/zserv.c:521
    FRRouting#10 0x781c0f978970 in event_call lib/event.c:2011
    FRRouting#11 0x781c0f843d11 in frr_run lib/libfrr.c:1219
    FRRouting#12 0x55a58a73079d in main zebra/main.c:550
    FRRouting#13 0x781c0f22a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    FRRouting#14 0x781c0f22a28a in __libc_start_main_impl ../csu/libc-start.c:360
    FRRouting#15 0x55a58a6ec2b4 in _start (/usr/lib/frr/zebra+0x1d02b4)

Fixes: 4e4588fa8f ("zebra: Add functions to alloc/release SRv6 SIDs")

Signed-off-by: Dmytro Shytyi <dmytro.shytyi@6wind.com>
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
pguibert6WIND pushed a commit to pguibert6WIND/frr that referenced this pull request Oct 2, 2025
@Keelan10 @pguibert6WIND
lib: Free Temporary Memory for AF_FLOWSPEC Prefix
c3b4802 
This commit addresses a leak where temporary memory allocated
earlier by the `prefix_copy` function for AF_FLOWSPEC prefixes
was not being freed. To ensure proper memory management, we now
release this temporary memory by calling `prefix_flowspec_ptr_free`.

The ASan leak log for reference:

```
***********************************************************************************
Address Sanitizer Error detected in bgp_flowspec.test_bgp_flowspec_topo/r1.asan.bgpd.11539

=================================================================
==11539==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 56 byte(s) in 2 object(s) allocated from:
    #0 0x7feaa956ad28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28)
    FRRouting#1 0x7feaa8f670da in qcalloc lib/memory.c:105
    FRRouting#2 0x7feaa8fac1d4 in prefix_copy lib/prefix.c:346
    FRRouting#3 0x7feaa8ff43e8 in route_node_get lib/table.c:274
    FRRouting#4 0x56247cc798c0 in bgp_node_get bgpd/bgp_table.h:236
    FRRouting#5 0x56247cc798c0 in bgp_afi_node_get bgpd/bgp_route.c:145
    FRRouting#6 0x56247cc92622 in bgp_update bgpd/bgp_route.c:4188
    FRRouting#7 0x56247ce55b21 in bgp_nlri_parse_flowspec bgpd/bgp_flowspec.c:193
    FRRouting#8 0x56247cc4cdd8 in bgp_nlri_parse bgpd/bgp_packet.c:350
    FRRouting#9 0x56247cc4f37c in bgp_update_receive bgpd/bgp_packet.c:2153
    FRRouting#10 0x56247cc591e2 in bgp_process_packet bgpd/bgp_packet.c:3214
    FRRouting#11 0x7feaa9005b99 in event_call lib/event.c:1979
    FRRouting#12 0x7feaa8f4a379 in frr_run lib/libfrr.c:1213
    FRRouting#13 0x56247cb51b21 in main bgpd/bgp_main.c:510
    FRRouting#14 0x7feaa7f8dc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)

SUMMARY: AddressSanitizer: 56 byte(s) leaked in 2 allocation(s).
***********************************************************************************
```

Signed-off-by: Keelan Cannoo <keelan.cannoo@icloud.com>
(cherry picked from commit a7fe30e)

Conflicts:
	bgpd/bgp_table.c
	lib/prefix.c
	lib/prefix.h
	lib/table.c

Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
pguibert6WIND pushed a commit to pguibert6WIND/frr that referenced this pull request Oct 2, 2025
@Keelan10 @pguibert6WIND
lib: Free Temporary Memory for AF_FLOWSPEC Prefix
881a5c1 
This commit addresses a leak where temporary memory allocated
earlier by the `prefix_copy` function for AF_FLOWSPEC prefixes
was not being freed. To ensure proper memory management, we now
release this temporary memory by calling `prefix_flowspec_ptr_free`.

The ASan leak log for reference:

```
***********************************************************************************
Address Sanitizer Error detected in bgp_flowspec.test_bgp_flowspec_topo/r1.asan.bgpd.11539

=================================================================
==11539==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 56 byte(s) in 2 object(s) allocated from:
    #0 0x7feaa956ad28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28)
    FRRouting#1 0x7feaa8f670da in qcalloc lib/memory.c:105
    FRRouting#2 0x7feaa8fac1d4 in prefix_copy lib/prefix.c:346
    FRRouting#3 0x7feaa8ff43e8 in route_node_get lib/table.c:274
    FRRouting#4 0x56247cc798c0 in bgp_node_get bgpd/bgp_table.h:236
    FRRouting#5 0x56247cc798c0 in bgp_afi_node_get bgpd/bgp_route.c:145
    FRRouting#6 0x56247cc92622 in bgp_update bgpd/bgp_route.c:4188
    FRRouting#7 0x56247ce55b21 in bgp_nlri_parse_flowspec bgpd/bgp_flowspec.c:193
    FRRouting#8 0x56247cc4cdd8 in bgp_nlri_parse bgpd/bgp_packet.c:350
    FRRouting#9 0x56247cc4f37c in bgp_update_receive bgpd/bgp_packet.c:2153
    FRRouting#10 0x56247cc591e2 in bgp_process_packet bgpd/bgp_packet.c:3214
    FRRouting#11 0x7feaa9005b99 in event_call lib/event.c:1979
    FRRouting#12 0x7feaa8f4a379 in frr_run lib/libfrr.c:1213
    FRRouting#13 0x56247cb51b21 in main bgpd/bgp_main.c:510
    FRRouting#14 0x7feaa7f8dc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)

SUMMARY: AddressSanitizer: 56 byte(s) leaked in 2 allocation(s).
***********************************************************************************
```

Signed-off-by: Keelan Cannoo <keelan.cannoo@icloud.com>
(cherry picked from commit a7fe30e)

Conflicts:
	bgpd/bgp_table.c
	lib/prefix.c
	lib/prefix.h
	lib/table.c

Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
@donaldsharp donaldsharp mentioned this pull request Oct 7, 2025
Merged
Jafaral pushed a commit that referenced this pull request Oct 7, 2025
@donaldsharp
ospfd: On cleanup, actually free vertexes
2d0f460 
Upon examining this Indirect leak:

Indirect leak of 160 byte(s) in 4 object(s) allocated from:
    #0 0x7fe4f40b83b7 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
    #1 0x7fe4f3c24c1d in qcalloc lib/memory.c:111
    #2 0x7fe4f3c03441 in list_new lib/linklist.c:49
    #3 0x564c81d076f9 in ospf_spf_vertex_copy ospfd/ospf_spf.c:335
    #4 0x564c81d0bff2 in ospf_spf_copy ospfd/ospf_spf.c:378
    #5 0x564c81d158e8 in ospf_ti_lfa_generate_p_space ospfd/ospf_ti_lfa.c:787
    #6 0x564c81d162f5 in ospf_ti_lfa_generate_p_spaces ospfd/ospf_ti_lfa.c:923
    #7 0x564c81d16532 in ospf_ti_lfa_compute ospfd/ospf_ti_lfa.c:1101
    #8 0x564c81d0e942 in ospf_spf_calculate_area ospfd/ospf_spf.c:1811
    #9 0x564c81d0eaa6 in ospf_spf_calculate_areas ospfd/ospf_spf.c:1840
    #10 0x564c81d0eda2 in ospf_spf_calculate_schedule_worker ospfd/ospf_spf.c:1871
    #11 0x7fe4f3cdd7c3 in event_call lib/event.c:2009
    #12 0x7fe4f3c027e9 in frr_run lib/libfrr.c:1252
    #13 0x564c81c95191 in main ospfd/ospf_main.c:307
    #14 0x7fe4f370c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

It was noticed that the vertex has another list that is not being
cleanedup.  Let's allow this to happen.

Signed-off-by: Donald Sharp <sharpd@nvidia.com>
mergify bot pushed a commit that referenced this pull request Oct 7, 2025
@donaldsharp @mergify
ospfd: On cleanup, actually free vertexes
1b0223e 
Upon examining this Indirect leak:

Indirect leak of 160 byte(s) in 4 object(s) allocated from:
    #0 0x7fe4f40b83b7 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
    #1 0x7fe4f3c24c1d in qcalloc lib/memory.c:111
    #2 0x7fe4f3c03441 in list_new lib/linklist.c:49
    #3 0x564c81d076f9 in ospf_spf_vertex_copy ospfd/ospf_spf.c:335
    #4 0x564c81d0bff2 in ospf_spf_copy ospfd/ospf_spf.c:378
    #5 0x564c81d158e8 in ospf_ti_lfa_generate_p_space ospfd/ospf_ti_lfa.c:787
    #6 0x564c81d162f5 in ospf_ti_lfa_generate_p_spaces ospfd/ospf_ti_lfa.c:923
    #7 0x564c81d16532 in ospf_ti_lfa_compute ospfd/ospf_ti_lfa.c:1101
    #8 0x564c81d0e942 in ospf_spf_calculate_area ospfd/ospf_spf.c:1811
    #9 0x564c81d0eaa6 in ospf_spf_calculate_areas ospfd/ospf_spf.c:1840
    #10 0x564c81d0eda2 in ospf_spf_calculate_schedule_worker ospfd/ospf_spf.c:1871
    #11 0x7fe4f3cdd7c3 in event_call lib/event.c:2009
    #12 0x7fe4f3c027e9 in frr_run lib/libfrr.c:1252
    #13 0x564c81c95191 in main ospfd/ospf_main.c:307
    #14 0x7fe4f370c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

It was noticed that the vertex has another list that is not being
cleanedup.  Let's allow this to happen.

Signed-off-by: Donald Sharp <sharpd@nvidia.com>
(cherry picked from commit 2d0f460)
@mergify mergify bot mentioned this pull request Oct 7, 2025
Closed
mergify bot pushed a commit that referenced this pull request Oct 7, 2025
@donaldsharp @mergify
ospfd: On cleanup, actually free vertexes
66c39da 
Upon examining this Indirect leak:

Indirect leak of 160 byte(s) in 4 object(s) allocated from:
    #0 0x7fe4f40b83b7 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
    #1 0x7fe4f3c24c1d in qcalloc lib/memory.c:111
    #2 0x7fe4f3c03441 in list_new lib/linklist.c:49
    #3 0x564c81d076f9 in ospf_spf_vertex_copy ospfd/ospf_spf.c:335
    #4 0x564c81d0bff2 in ospf_spf_copy ospfd/ospf_spf.c:378
    #5 0x564c81d158e8 in ospf_ti_lfa_generate_p_space ospfd/ospf_ti_lfa.c:787
    #6 0x564c81d162f5 in ospf_ti_lfa_generate_p_spaces ospfd/ospf_ti_lfa.c:923
    #7 0x564c81d16532 in ospf_ti_lfa_compute ospfd/ospf_ti_lfa.c:1101
    #8 0x564c81d0e942 in ospf_spf_calculate_area ospfd/ospf_spf.c:1811
    #9 0x564c81d0eaa6 in ospf_spf_calculate_areas ospfd/ospf_spf.c:1840
    #10 0x564c81d0eda2 in ospf_spf_calculate_schedule_worker ospfd/ospf_spf.c:1871
    #11 0x7fe4f3cdd7c3 in event_call lib/event.c:2009
    #12 0x7fe4f3c027e9 in frr_run lib/libfrr.c:1252
    #13 0x564c81c95191 in main ospfd/ospf_main.c:307
    #14 0x7fe4f370c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

It was noticed that the vertex has another list that is not being
cleanedup.  Let's allow this to happen.

Signed-off-by: Donald Sharp <sharpd@nvidia.com>
(cherry picked from commit 2d0f460)
mergify bot pushed a commit that referenced this pull request Oct 7, 2025
@donaldsharp @mergify
ospfd: On cleanup, actually free vertexes
6ee53b5 
Upon examining this Indirect leak:

Indirect leak of 160 byte(s) in 4 object(s) allocated from:
    #0 0x7fe4f40b83b7 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
    #1 0x7fe4f3c24c1d in qcalloc lib/memory.c:111
    #2 0x7fe4f3c03441 in list_new lib/linklist.c:49
    #3 0x564c81d076f9 in ospf_spf_vertex_copy ospfd/ospf_spf.c:335
    #4 0x564c81d0bff2 in ospf_spf_copy ospfd/ospf_spf.c:378
    #5 0x564c81d158e8 in ospf_ti_lfa_generate_p_space ospfd/ospf_ti_lfa.c:787
    #6 0x564c81d162f5 in ospf_ti_lfa_generate_p_spaces ospfd/ospf_ti_lfa.c:923
    #7 0x564c81d16532 in ospf_ti_lfa_compute ospfd/ospf_ti_lfa.c:1101
    #8 0x564c81d0e942 in ospf_spf_calculate_area ospfd/ospf_spf.c:1811
    #9 0x564c81d0eaa6 in ospf_spf_calculate_areas ospfd/ospf_spf.c:1840
    #10 0x564c81d0eda2 in ospf_spf_calculate_schedule_worker ospfd/ospf_spf.c:1871
    #11 0x7fe4f3cdd7c3 in event_call lib/event.c:2009
    #12 0x7fe4f3c027e9 in frr_run lib/libfrr.c:1252
    #13 0x564c81c95191 in main ospfd/ospf_main.c:307
    #14 0x7fe4f370c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

It was noticed that the vertex has another list that is not being
cleanedup.  Let's allow this to happen.

Signed-off-by: Donald Sharp <sharpd@nvidia.com>
(cherry picked from commit 2d0f460)
This was referenced Oct 7, 2025
Closed
Closed
pguibert6WIND added a commit to pguibert6WIND/frr that referenced this pull request Oct 22, 2025
@pguibert6WIND
bgpd: fix crash when running bgp_rfapi_basic_sanity test
fcb516f 
The following crash has happened.

> #0  __pthread_kill_implementation (no_tid=0, signo=11, threadid=134363256068544) at ./nptl/pthread_kill.c:44
> FRRouting#1  __pthread_kill_internal (signo=11, threadid=134363256068544) at ./nptl/pthread_kill.c:78
> FRRouting#2  __GI___pthread_kill (threadid=134363256068544, signo=signo@entry=11) at ./nptl/pthread_kill.c:89
> FRRouting#3  0x00007a33e1c42476 in __GI_raise (sig=sig@entry=11) at ../sysdeps/posix/raise.c:26
> FRRouting#4  0x00007a33e210feca in core_handler (signo=11, siginfo=0x7ffd4a405130, context=<optimized out>) at lib/sigevent.c:268
> FRRouting#5  <signal handler called>
> FRRouting#6  vpn_leak_to_vrf_update_onevrf (to_bgp=0x5a70a945d9b0, from_bgp=0x5a70a945d9b0, path_vpn=0x5a70a9488b50, prd=0x0, from=0x5a70a9482350) at bgpd/bgp_mplsvpn.c:2256
> FRRouting#7  0x00005a7093ca627c in vpn_leak_to_vrf_update_all (to_bgp=to_bgp@entry=0x5a70a945d9b0, vpn_from=vpn_from@entry=0x5a70a945d9b0, afi=afi@entry=AFI_IP) at bgpd/bgp_mplsvpn.c:2839
> FRRouting#8  0x00005a7093ca789d in vpn_leak_postchange (bgp_vrf=0x5a70a945d9b0, bgp_vpn=0x5a70a945d9b0, afi=AFI_IP, direction=BGP_VPN_POLICY_DIR_FROMVPN) at ./bgpd/bgp_mplsvpn.h:270
> FRRouting#9  vpn_leak_postchange_all () at bgpd/bgp_mplsvpn.c:4001
> FRRouting#10 0x00007a33e2123366 in event_call (thread=thread@entry=0x7ffd4a405a50) at lib/event.c:2005
> FRRouting#11 0x00007a33e20c3828 in frr_run (loop=0x5a70a8c0ff90) at lib/libfrr.c:1252
> FRRouting#12 0x00005a7093c45122 in main (argc=<optimized out>, argv=<optimized out>) at bgpd/bgp_main.c:565

prefix attached to pdest is null. Protect it.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
@soumyar-roy soumyar-roy mentioned this pull request Oct 29, 2025
Merged
This was referenced Oct 29, 2025
Merged
Merged
Merged
Closed
pguibert6WIND added a commit to pguibert6WIND/frr that referenced this pull request Nov 4, 2025
@pguibert6WIND
bgpd: fix crash when reconfiguring func-bits value in locator
84e6d0a 
The following crash happens on a BGP setup with SRv6 used, when locator
is updated with the func-bits value moving from 32 bits to 16 bits.

> FRRouting#6  0x000061582b486b5c in memcpy (__len=<optimized out>, __src=<optimized out>, __dest=<optimized out>)
>     at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
> FRRouting#7  vpn_leak_from_vrf_update (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040,
>     path_vrf=path_vrf@entry=0x6158364ef110) at bgpd/bgp_mplsvpn.c:2010
> FRRouting#8  0x000061582b48758b in vpn_leak_from_vrf_update_all (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040,
>     afi=<optimized out>) at bgpd/bgp_mplsvpn.c:2215
> FRRouting#9  0x000061582b48774d in vpn_leak_postchange (afi=afi@entry=AFI_IP, bgp_vpn=bgp_vpn@entry=0x6158364a0340,
>     bgp_vrf=bgp_vrf@entry=0x6158364c1040, direction=BGP_VPN_POLICY_DIR_TOVPN) at ./bgpd/bgp_mplsvpn.h:313
> FRRouting#10 0x000061582b489b4b in vpn_leak_postchange (bgp_vrf=0x6158364c1040, bgp_vpn=0x6158364a0340, afi=AFI_IP, direction=BGP_VPN_POLICY_DIR_TOVPN)
>     at ./bgpd/bgp_mplsvpn.h:273
> FRRouting#11 vpn_leak_postchange_all () at bgpd/bgp_mplsvpn.c:3978
> FRRouting#12 0x000061582b5219d5 in bgp_zebra_process_srv6_locator_delete (cmd=<optimized out>, zclient=<optimized out>, length=<optimized out>,
>     vrf_id=<optimized out>) at bgpd/bgp_zebra.c:3874
> FRRouting#13 0x0000766887b391ee in zclient_read (thread=<optimized out>) at lib/zclient.c:4804
> FRRouting#14 0x0000766887b2245e in event_call (thread=thread@entry=0x7ffc86531a30) at lib/event.c:2005
> FRRouting#15 0x0000766887ac2ed8 in frr_run (loop=0x615835c46fd0) at lib/libfrr.c:1252
> FRRouting#16 0x000061582b428163 in main (argc=<optimized out>, argv=0x7ffc86531cf8) at bgpd/bgp_main.c:565
> (gdb)
>

Actually, the SID allocated has been freed after the locator deleted
event. Protect this part of code by checking the availability of the
sid pointer.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
pguibert6WIND pushed a commit to pguibert6WIND/frr that referenced this pull request Nov 4, 2025
@pguibert6WIND
bgpd: fix srv6 align the sid_func with wlib array boundaries
0a77371 
The topotest bgp_srv6_sid_explicit generates the crash dump:

ERROR: SEGV on unknown address 0x5110002dba30 (pc 0x55a58a813379 bp 0x7ffd2cc8ec50 sp 0x7ffd2cc8ec00 T0)
The signal is caused by a READ memory access.
    #0 0x55a58a813379 in alloc_srv6_sid_func_explicit zebra/zebra_srv6.c:1264
    FRRouting#1 0x55a58a815138 in get_srv6_sid_explicit zebra/zebra_srv6.c:1611
    FRRouting#2 0x55a58a8166bb in get_srv6_sid zebra/zebra_srv6.c:1807
    FRRouting#3 0x55a58a8191ef in srv6_manager_get_sid_internal zebra/zebra_srv6.c:2314
    FRRouting#4 0x55a58a80c0aa in hook_call_srv6_manager_get_sid zebra/zebra_srv6.c:67
    FRRouting#5 0x55a58a80c671 in srv6_manager_get_sid_call zebra/zebra_srv6.c:115
    FRRouting#6 0x55a58a78e956 in zread_srv6_manager_get_srv6_sid zebra/zapi_msg.c:3245
    FRRouting#7 0x55a58a78f1d8 in zread_srv6_manager_request zebra/zapi_msg.c:3313
    FRRouting#8 0x55a58a799321 in zserv_handle_commands zebra/zapi_msg.c:4425
    FRRouting#9 0x55a58a92473c in zserv_process_messages zebra/zserv.c:521
    FRRouting#10 0x781c0f978970 in event_call lib/event.c:2011
    FRRouting#11 0x781c0f843d11 in frr_run lib/libfrr.c:1219
    FRRouting#12 0x55a58a73079d in main zebra/main.c:550
    FRRouting#13 0x781c0f22a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    FRRouting#14 0x781c0f22a28a in __libc_start_main_impl ../csu/libc-start.c:360
    FRRouting#15 0x55a58a6ec2b4 in _start (/usr/lib/frr/zebra+0x1d02b4)

Fixes: 4e4588fa8f ("zebra: Add functions to alloc/release SRv6 SIDs")

Signed-off-by: Dmytro Shytyi <dmytro.shytyi@6wind.com>
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
pguibert6WIND added a commit to pguibert6WIND/frr that referenced this pull request Nov 4, 2025
@pguibert6WIND
bgpd: fix crash when reconfiguring func-bits value in locator
1eadb70 
The following crash happens on a BGP setup with SRv6 used, when locator
is updated with the func-bits value moving from 32 bits to 16 bits.

> FRRouting#6  0x000061582b486b5c in memcpy (__len=<optimized out>, __src=<optimized out>, __dest=<optimized out>)
>     at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
> FRRouting#7  vpn_leak_from_vrf_update (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040,
>     path_vrf=path_vrf@entry=0x6158364ef110) at bgpd/bgp_mplsvpn.c:2010
> FRRouting#8  0x000061582b48758b in vpn_leak_from_vrf_update_all (to_bgp=to_bgp@entry=0x6158364a0340, from_bgp=from_bgp@entry=0x6158364c1040,
>     afi=<optimized out>) at bgpd/bgp_mplsvpn.c:2215
> FRRouting#9  0x000061582b48774d in vpn_leak_postchange (afi=afi@entry=AFI_IP, bgp_vpn=bgp_vpn@entry=0x6158364a0340,
>     bgp_vrf=bgp_vrf@entry=0x6158364c1040, direction=BGP_VPN_POLICY_DIR_TOVPN) at ./bgpd/bgp_mplsvpn.h:313
> FRRouting#10 0x000061582b489b4b in vpn_leak_postchange (bgp_vrf=0x6158364c1040, bgp_vpn=0x6158364a0340, afi=AFI_IP, direction=BGP_VPN_POLICY_DIR_TOVPN)
>     at ./bgpd/bgp_mplsvpn.h:273
> FRRouting#11 vpn_leak_postchange_all () at bgpd/bgp_mplsvpn.c:3978
> FRRouting#12 0x000061582b5219d5 in bgp_zebra_process_srv6_locator_delete (cmd=<optimized out>, zclient=<optimized out>, length=<optimized out>,
>     vrf_id=<optimized out>) at bgpd/bgp_zebra.c:3874
> FRRouting#13 0x0000766887b391ee in zclient_read (thread=<optimized out>) at lib/zclient.c:4804
> FRRouting#14 0x0000766887b2245e in event_call (thread=thread@entry=0x7ffc86531a30) at lib/event.c:2005
> FRRouting#15 0x0000766887ac2ed8 in frr_run (loop=0x615835c46fd0) at lib/libfrr.c:1252
> FRRouting#16 0x000061582b428163 in main (argc=<optimized out>, argv=0x7ffc86531cf8) at bgpd/bgp_main.c:565
> (gdb)
>

Actually, the SID allocated has been freed after the locator deleted
event. Protect this part of code by checking the availability of the
sid pointer.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
pguibert6WIND pushed a commit to pguibert6WIND/frr that referenced this pull request Nov 4, 2025
@pguibert6WIND
bgpd: fix srv6 align the sid_func with wlib array boundaries
a6a2777 
The topotest bgp_srv6_sid_explicit generates the crash dump:

ERROR: SEGV on unknown address 0x5110002dba30 (pc 0x55a58a813379 bp 0x7ffd2cc8ec50 sp 0x7ffd2cc8ec00 T0)
The signal is caused by a READ memory access.
    #0 0x55a58a813379 in alloc_srv6_sid_func_explicit zebra/zebra_srv6.c:1264
    FRRouting#1 0x55a58a815138 in get_srv6_sid_explicit zebra/zebra_srv6.c:1611
    FRRouting#2 0x55a58a8166bb in get_srv6_sid zebra/zebra_srv6.c:1807
    FRRouting#3 0x55a58a8191ef in srv6_manager_get_sid_internal zebra/zebra_srv6.c:2314
    FRRouting#4 0x55a58a80c0aa in hook_call_srv6_manager_get_sid zebra/zebra_srv6.c:67
    FRRouting#5 0x55a58a80c671 in srv6_manager_get_sid_call zebra/zebra_srv6.c:115
    FRRouting#6 0x55a58a78e956 in zread_srv6_manager_get_srv6_sid zebra/zapi_msg.c:3245
    FRRouting#7 0x55a58a78f1d8 in zread_srv6_manager_request zebra/zapi_msg.c:3313
    FRRouting#8 0x55a58a799321 in zserv_handle_commands zebra/zapi_msg.c:4425
    FRRouting#9 0x55a58a92473c in zserv_process_messages zebra/zserv.c:521
    FRRouting#10 0x781c0f978970 in event_call lib/event.c:2011
    FRRouting#11 0x781c0f843d11 in frr_run lib/libfrr.c:1219
    FRRouting#12 0x55a58a73079d in main zebra/main.c:550
    FRRouting#13 0x781c0f22a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    FRRouting#14 0x781c0f22a28a in __libc_start_main_impl ../csu/libc-start.c:360
    FRRouting#15 0x55a58a6ec2b4 in _start (/usr/lib/frr/zebra+0x1d02b4)

Fixes: 4e4588fa8f ("zebra: Add functions to alloc/release SRv6 SIDs")

Signed-off-by: Dmytro Shytyi <dmytro.shytyi@6wind.com>
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
pguibert6WIND added a commit to pguibert6WIND/frr that referenced this pull request Dec 2, 2025
@pguibert6WIND
isisd: fix crash when changing isis type
4ccdce7 
The following crash happens, when moving from level-2 to level-1 an isis
flex-algorithm configuration

> warning: 44     ./nptl/pthread_kill.c: No such file or directory
> [Current thread is 1 (Thread 0x7108d4cb2980 (LWP 1023))]
> (gdb) bt
> #0  __pthread_kill_implementation (no_tid=0, signo=11,
>     threadid=<optimized out>) at ./nptl/pthread_kill.c:44
> FRRouting#1  __pthread_kill_internal (signo=11, threadid=<optimized out>)
>     at ./nptl/pthread_kill.c:78
> FRRouting#2  __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
>     at ./nptl/pthread_kill.c:89
> FRRouting#3  0x00007108d3e4527e in __GI_raise (sig=11) at ../sysdeps/posix/raise.c:26
> FRRouting#4  0x00007108d4b44926 in core_handler (signo=11, siginfo=0x7ffe7c10fb30,
>     context=0x7ffe7c10fa00)
>     at /build/make-pkg/output/_packages/cp-routing/src/lib/sigevent.c:248
> FRRouting#5  <signal handler called>
> FRRouting#6  0x00005b5d803bf07b in isis_spf_invalidate_routes (tree=0x0)
>     at /build/make-pkg/output/_packages/cp-routing/src/isisd/isis_spf.c:2118
> FRRouting#7  0x00005b5d803fb23e in isis_area_invalidate_routes (area=0x5b5db8d5be40,
>     levels=1)
>     at /build/make-pkg/output/_packages/cp-routing/src/isisd/isisd.c:3152
> FRRouting#8  0x00005b5d803bf280 in isis_run_spf_cb (thread=0x7ffe7c110180)
>     at /build/make-pkg/output/_packages/cp-routing/src/isisd/isis_spf.c:2165
> FRRouting#9  0x00007108d4b5ff7f in event_call (thread=0x7ffe7c110180)
>     at /build/make-pkg/output/_packages/cp-routing/src/lib/event.c:2011
> FRRouting#10 0x00007108d4adb761 in frr_run (master=0x5b5db7f7ca40)
>     at /build/make-pkg/output/_packages/cp-routing/src/lib/libfrr.c:1219
> FRRouting#11 0x00005b5d8038333a in main (argc=5, argv=0x7ffe7c1103d8,
> --Type <RET> for more, q to quit, c to continue without paging--
>     envp=0x7ffe7c110408)
>     at /build/make-pkg/output/_packages/cp-routing/src/isisd/isis_main.c:360
> (gdb)

Fix this by adding protection before invalidating all routes.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
@pguibert6WIND pguibert6WIND mentioned this pull request Dec 2, 2025
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eqvinox eqvinox Awaiting requested review from eqvinox

@donaldsharp donaldsharp Awaiting requested review from donaldsharp

@mwinter-osr mwinter-osr Awaiting requested review from mwinter-osr

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@qlyoung @NetDEF-CI @donaldsharp