Skip to content

Commit

Permalink
isisd: fix infinite loop when parsing LSPs
Browse files Browse the repository at this point in the history 
Fixing the crash:

> #0  0x0000560aa80f8e30 in lspdb_const_find (h=<error reading variable: Cannot access memory at address 0x7fff5e95efe8>, item=<error reading variable: Cannot access memory at address 0x7fff5e95efe0>) at ./isisd/isis_lsp.h:64
> #1  0x0000560aa80f8e9d in lspdb_find (h=0x560aaa1ed3b8, item=0x7fff5e95f050) at ./isisd/isis_lsp.h:64
> #2  0x0000560aa80f92f9 in lsp_search (head=0x560aaa1ed3b8, id=0x7fff5e95f200 "") at isisd/isis_lsp.c:100
> FRRouting#3  0x0000560aa8113d69 in spf_adj_list_parse_tlv (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, id=0x560aad331a78 "", desig_is_id=0x0, pseudo_metric=0, metric=3, oldmetric=false, subtlvs=0x0) at isisd/isis_spf.c:1330
> FRRouting#4  0x0000560aa811419d in spf_adj_list_parse_lsp (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, lsp=0x560aaa1f4e50, pseudo_nodeid=0x0, pseudo_metric=0) at isisd/isis_spf.c:1429
> FRRouting#5  0x0000560aa81141fe in spf_adj_list_parse_lsp (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, lsp=0x560aaa1ff8e0, pseudo_nodeid=0x0, pseudo_metric=0) at isisd/isis_spf.c:1442
> FRRouting#6  0x0000560aa81141fe in spf_adj_list_parse_lsp (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, lsp=0x560aaa1f4e50, pseudo_nodeid=0x0, pseudo_metric=0) at isisd/isis_spf.c:1442
> (...)
> #65507 0x0000560aa81141fe in spf_adj_list_parse_lsp (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, lsp=0x560aaa1ff8e0, pseudo_nodeid=0x0, pseudo_metric=0) at isisd/isis_spf.c:1442
> #65508 0x0000560aa81141fe in spf_adj_list_parse_lsp (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, lsp=0x560aaa1f4e50, pseudo_nodeid=0x0, pseudo_metric=0) at isisd/isis_spf.c:1442
> #65509 0x0000560aa81141fe in spf_adj_list_parse_lsp (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, lsp=0x560aaa1ff8e0, pseudo_nodeid=0x0, pseudo_metric=0) at isisd/isis_spf.c:1442
> #65510 0x0000560aa81141fe in spf_adj_list_parse_lsp (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, lsp=0x560aaa1f4e50, pseudo_nodeid=0x0, pseudo_metric=0) at isisd/isis_spf.c:1442
> #65511 0x0000560aa8114313 in isis_spf_build_adj_list (spftree=0x560aaa1f09d0, lsp=0x560aaa1f4e50) at isisd/isis_spf.c:1455
> #65512 0x0000560aa8114f09 in isis_run_spf (spftree=0x560aaa1f09d0) at isisd/isis_spf.c:1775
> #65513 0x0000560aa8115057 in isis_run_spf_with_protection (area=0x560aaa1ed3b0, spftree=0x560aaa1f09d0) at isisd/isis_spf.c:1801
> #65514 0x0000560aa8115311 in isis_run_spf_cb (thread=0x7fff5f15e5a0) at isisd/isis_spf.c:1859
> #65515 0x00007f90bac66dcc in thread_call (thread=0x7fff5f15e5a0) at lib/thread.c:2002
> #65516 0x00007f90bac013ee in frr_run (master=0x560aa9f5cb40) at lib/libfrr.c:1196
> #65517 0x0000560aa80e7da2 in main (argc=2, argv=0x7fff5f15e7b8, envp=0x7fff5f15e7d0) at isisd/isis_main.c:273

Fixes: 7b36d36 ("isisd: make the SPF code more modular")
Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>
  • Loading branch information
@louis-6wind
louis-6wind committed Mar 29, 2022
1 parent 2283482 commit 5e56a50
Showing 1 changed file with 20 additions and 8 deletions.
28 changes: 20 additions & 8 deletions isisd/isis_spf.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1388,14 +1388,13 @@ static void spf_adj_list_parse_tlv(struct isis_spftree *spftree,
spf_adj_list_parse_lsp(spftree, adj_list, lsp, id, metric);
}

static void spf_adj_list_parse_lsp(struct isis_spftree *spftree,
struct list *adj_list, struct isis_lsp *lsp,
const uint8_t *pseudo_nodeid,
uint32_t pseudo_metric)
static void spf_adj_list_parse_lsp_frag(struct isis_spftree *spftree,
struct list *adj_list,
struct isis_lsp *lsp,
const uint8_t *pseudo_nodeid,
uint32_t pseudo_metric)
{
bool pseudo_lsp = LSP_PSEUDO_ID(lsp->hdr.lsp_id);
struct isis_lsp *frag;
struct listnode *node;
struct isis_item *head;
struct isis_item_list *te_neighs;

Expand Down Expand Up @@ -1433,14 +1432,27 @@ static void spf_adj_list_parse_lsp(struct isis_spftree *spftree,
}
}
}
}


static void spf_adj_list_parse_lsp(struct isis_spftree *spftree,
struct list *adj_list, struct isis_lsp *lsp,
const uint8_t *pseudo_nodeid,
uint32_t pseudo_metric)
{
struct isis_lsp *frag;
struct listnode *node;

spf_adj_list_parse_lsp_frag(spftree, adj_list, lsp, pseudo_nodeid,
pseudo_metric);

/* Parse LSP fragments. */
for (ALL_LIST_ELEMENTS_RO(lsp->lspu.frags, node, frag)) {
if (!frag->tlvs)
continue;

spf_adj_list_parse_lsp(spftree, adj_list, frag, pseudo_nodeid,
pseudo_metric);
spf_adj_list_parse_lsp_frag(spftree, adj_list, frag,
pseudo_nodeid, pseudo_metric);
}
}

Expand Down

0 comments on commit 5e56a50

Please sign in to comment.