Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

test action #2

Open
wants to merge 3 commits into
base: Commit-Compile-Action
Choose a base branch
from
Open

test action #2

wants to merge 3 commits into from

Conversation

sworleys
Copy link
Owner

test action

@sworleys
test action
bfc1f6d 
test action

Signed-off-by: Stephen Worley <sworley@nvidia.com>
sworleys pushed a commit that referenced this pull request May 18, 2022
@louis-6wind
isisd: fix infinite loop when parsing LSPs
5e56a50 
Fixing the crash:

> #0  0x0000560aa80f8e30 in lspdb_const_find (h=<error reading variable: Cannot access memory at address 0x7fff5e95efe8>, item=<error reading variable: Cannot access memory at address 0x7fff5e95efe0>) at ./isisd/isis_lsp.h:64
> #1  0x0000560aa80f8e9d in lspdb_find (h=0x560aaa1ed3b8, item=0x7fff5e95f050) at ./isisd/isis_lsp.h:64
> #2  0x0000560aa80f92f9 in lsp_search (head=0x560aaa1ed3b8, id=0x7fff5e95f200 "") at isisd/isis_lsp.c:100
> FRRouting#3  0x0000560aa8113d69 in spf_adj_list_parse_tlv (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, id=0x560aad331a78 "", desig_is_id=0x0, pseudo_metric=0, metric=3, oldmetric=false, subtlvs=0x0) at isisd/isis_spf.c:1330
> FRRouting#4  0x0000560aa811419d in spf_adj_list_parse_lsp (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, lsp=0x560aaa1f4e50, pseudo_nodeid=0x0, pseudo_metric=0) at isisd/isis_spf.c:1429
> FRRouting#5  0x0000560aa81141fe in spf_adj_list_parse_lsp (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, lsp=0x560aaa1ff8e0, pseudo_nodeid=0x0, pseudo_metric=0) at isisd/isis_spf.c:1442
> FRRouting#6  0x0000560aa81141fe in spf_adj_list_parse_lsp (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, lsp=0x560aaa1f4e50, pseudo_nodeid=0x0, pseudo_metric=0) at isisd/isis_spf.c:1442
> (...)
> #65507 0x0000560aa81141fe in spf_adj_list_parse_lsp (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, lsp=0x560aaa1ff8e0, pseudo_nodeid=0x0, pseudo_metric=0) at isisd/isis_spf.c:1442
> #65508 0x0000560aa81141fe in spf_adj_list_parse_lsp (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, lsp=0x560aaa1f4e50, pseudo_nodeid=0x0, pseudo_metric=0) at isisd/isis_spf.c:1442
> #65509 0x0000560aa81141fe in spf_adj_list_parse_lsp (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, lsp=0x560aaa1ff8e0, pseudo_nodeid=0x0, pseudo_metric=0) at isisd/isis_spf.c:1442
> #65510 0x0000560aa81141fe in spf_adj_list_parse_lsp (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, lsp=0x560aaa1f4e50, pseudo_nodeid=0x0, pseudo_metric=0) at isisd/isis_spf.c:1442
> #65511 0x0000560aa8114313 in isis_spf_build_adj_list (spftree=0x560aaa1f09d0, lsp=0x560aaa1f4e50) at isisd/isis_spf.c:1455
> #65512 0x0000560aa8114f09 in isis_run_spf (spftree=0x560aaa1f09d0) at isisd/isis_spf.c:1775
> #65513 0x0000560aa8115057 in isis_run_spf_with_protection (area=0x560aaa1ed3b0, spftree=0x560aaa1f09d0) at isisd/isis_spf.c:1801
> #65514 0x0000560aa8115311 in isis_run_spf_cb (thread=0x7fff5f15e5a0) at isisd/isis_spf.c:1859
> #65515 0x00007f90bac66dcc in thread_call (thread=0x7fff5f15e5a0) at lib/thread.c:2002
> #65516 0x00007f90bac013ee in frr_run (master=0x560aa9f5cb40) at lib/libfrr.c:1196
> #65517 0x0000560aa80e7da2 in main (argc=2, argv=0x7fff5f15e7b8, envp=0x7fff5f15e7d0) at isisd/isis_main.c:273

Fixes: 7b36d36 ("isisd: make the SPF code more modular")
Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>
sworleys pushed a commit that referenced this pull request Aug 16, 2022
@louis-6wind
isisd: fix infinite loop when parsing LSPs
8c8a5a0 
Fixing the crash:

> #0  0x0000560aa80f8e30 in lspdb_const_find (h=<error reading variable: Cannot access memory at address 0x7fff5e95efe8>, item=<error reading variable: Cannot access memory at address 0x7fff5e95efe0>) at ./isisd/isis_lsp.h:64
> #1  0x0000560aa80f8e9d in lspdb_find (h=0x560aaa1ed3b8, item=0x7fff5e95f050) at ./isisd/isis_lsp.h:64
> #2  0x0000560aa80f92f9 in lsp_search (head=0x560aaa1ed3b8, id=0x7fff5e95f200 "") at isisd/isis_lsp.c:100
> FRRouting#3  0x0000560aa8113d69 in spf_adj_list_parse_tlv (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, id=0x560aad331a78 "", desig_is_id=0x0, pseudo_metric=0, metric=3, oldmetric=false, subtlvs=0x0) at isisd/isis_spf.c:1330
> FRRouting#4  0x0000560aa811419d in spf_adj_list_parse_lsp (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, lsp=0x560aaa1f4e50, pseudo_nodeid=0x0, pseudo_metric=0) at isisd/isis_spf.c:1429
> FRRouting#5  0x0000560aa81141fe in spf_adj_list_parse_lsp (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, lsp=0x560aaa1ff8e0, pseudo_nodeid=0x0, pseudo_metric=0) at isisd/isis_spf.c:1442
> FRRouting#6  0x0000560aa81141fe in spf_adj_list_parse_lsp (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, lsp=0x560aaa1f4e50, pseudo_nodeid=0x0, pseudo_metric=0) at isisd/isis_spf.c:1442
> (...)
> #65507 0x0000560aa81141fe in spf_adj_list_parse_lsp (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, lsp=0x560aaa1ff8e0, pseudo_nodeid=0x0, pseudo_metric=0) at isisd/isis_spf.c:1442
> #65508 0x0000560aa81141fe in spf_adj_list_parse_lsp (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, lsp=0x560aaa1f4e50, pseudo_nodeid=0x0, pseudo_metric=0) at isisd/isis_spf.c:1442
> #65509 0x0000560aa81141fe in spf_adj_list_parse_lsp (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, lsp=0x560aaa1ff8e0, pseudo_nodeid=0x0, pseudo_metric=0) at isisd/isis_spf.c:1442
> #65510 0x0000560aa81141fe in spf_adj_list_parse_lsp (spftree=0x560aaa1f09d0, adj_list=0x560aaa214480, lsp=0x560aaa1f4e50, pseudo_nodeid=0x0, pseudo_metric=0) at isisd/isis_spf.c:1442
> #65511 0x0000560aa8114313 in isis_spf_build_adj_list (spftree=0x560aaa1f09d0, lsp=0x560aaa1f4e50) at isisd/isis_spf.c:1455
> #65512 0x0000560aa8114f09 in isis_run_spf (spftree=0x560aaa1f09d0) at isisd/isis_spf.c:1775
> #65513 0x0000560aa8115057 in isis_run_spf_with_protection (area=0x560aaa1ed3b0, spftree=0x560aaa1f09d0) at isisd/isis_spf.c:1801
> #65514 0x0000560aa8115311 in isis_run_spf_cb (thread=0x7fff5f15e5a0) at isisd/isis_spf.c:1859
> #65515 0x00007f90bac66dcc in thread_call (thread=0x7fff5f15e5a0) at lib/thread.c:2002
> #65516 0x00007f90bac013ee in frr_run (master=0x560aa9f5cb40) at lib/libfrr.c:1196
> #65517 0x0000560aa80e7da2 in main (argc=2, argv=0x7fff5f15e7b8, envp=0x7fff5f15e7d0) at isisd/isis_main.c:273

The fix is similar to the crash fix included in d9884a7
("isisd: Prepare IS-IS for Link State support"). The fix was:

> diff --git a/isisd/isis_lsp.c b/isisd/isis_lsp.c
> index 94353a5bc8..92d329f035 100644
> --- a/isisd/isis_lsp.c
> +++ b/isisd/isis_lsp.c
> @@ -2166,7 +2178,7 @@ int isis_lsp_iterate_ip_reach(struct isis_lsp *lsp, int family, uint16_t mtid,
>  	if (lsp->hdr.seqno == 0 || lsp->hdr.rem_lifetime == 0)
>  		return LSP_ITER_CONTINUE;
>
> -	/* Parse main LSP. */
> +	/* Parse LSP */
>  	if (lsp->tlvs) {
>  		if (!fabricd && !pseudo_lsp && family == AF_INET
>  		    && mtid == ISIS_MT_IPV4_UNICAST) {
> @@ -2236,13 +2248,17 @@ int isis_lsp_iterate_ip_reach(struct isis_lsp *lsp, int family, uint16_t mtid,
>  		}
>  	}
>
> -	/* Parse LSP fragments. */
> -	for (ALL_LIST_ELEMENTS_RO(lsp->lspu.frags, node, frag)) {
> -		if (!frag->tlvs)
> -			continue;
> +	/* Parse LSP fragments if it is not a fragment itself */
> +	if (!LSP_FRAGMENT(lsp->hdr.lsp_id))
> +		for (ALL_LIST_ELEMENTS_RO(lsp->lspu.frags, node, frag)) {
> +			if (!frag->tlvs)
> +				continue;
>
> -		isis_lsp_iterate_ip_reach(frag, family, mtid, cb, arg);
> -	}
> +			if (isis_lsp_iterate_ip_reach(frag, family, mtid, cb,
> +						      arg)
> +			    == LSP_ITER_STOP)
> +				return LSP_ITER_STOP;
> +		}
>
>  	return LSP_ITER_CONTINUE;
>  }

Fixes: 7b36d36 ("isisd: make the SPF code more modular")
Fixes: 5e56a50 ("isisd: fix infinite loop when parsing LSPs")
Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>
sworleys pushed a commit that referenced this pull request Oct 5, 2022
@mobash-rasool
pim6d: Fixing coverity issues for pim6_mld.c
5784a87 
CID 1519843 (#2 of 2): Uninitialized scalar variable (UNINIT)
43. uninit_use_in_call: Using uninitialized value pkt_src->sin6_addr when calling gm_rx_process

Signed-off-by: Mobashshera Rasool <mrasool@vmware.com>
sworleys pushed a commit that referenced this pull request Dec 9, 2022
@donaldsharp
ldpd: Clean up use after free in shutdown
f568f87 
Config data was being freed just prior to it
being used for cleanup in shutdown.  Prevent this
from happening.

./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-=================================================================
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142:==2274142==ERROR: AddressSanitizer: heap-use-after-free on address 0x61d00000c880 at pc 0x0000004d94d1 bp 0x7ffd46637810 sp 0
x7ffd46637808
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-READ of size 4 at 0x61d00000c880 thread T0
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    #0 0x4d94d0 in ldp_rtr_id_get /home/sharpd/frr8/ldpd/ldpd.c:983:20
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    #1 0x56ff92 in gen_ldp_hdr /home/sharpd/frr8/ldpd/packet.c:47:19
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    #2 0x56a4b0 in send_notification_full /home/sharpd/frr8/ldpd/notification.c:49:9
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    FRRouting#3 0x56c4b3 in send_notification /home/sharpd/frr8/ldpd/notification.c:117:2
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    FRRouting#4 0x573fb7 in session_shutdown /home/sharpd/frr8/ldpd/packet.c:666:3
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    FRRouting#5 0x4e2ef1 in adj_del /home/sharpd/frr8/ldpd/adjacency.c:145:3
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    FRRouting#6 0x55d425 in ldpe_shutdown /home/sharpd/frr8/ldpd/ldpe.c:231:3
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    FRRouting#7 0x55a9a0 in ldpe_dispatch_main /home/sharpd/frr8/ldpd/ldpe.c:631:3
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    FRRouting#8 0x7f0c00c035e6 in thread_call /home/sharpd/frr8/lib/thread.c:2006:2
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    FRRouting#9 0x5586f2 in ldpe /home/sharpd/frr8/ldpd/ldpe.c:138:3
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    FRRouting#10 0x4d46d2 in main /home/sharpd/frr8/ldpd/ldpd.c:339:3
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    FRRouting#11 0x7f0c00476d09 in __libc_start_main csu/../csu/libc-start.c:308:16
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    FRRouting#12 0x429cb9 in _start (/usr/lib/frr/ldpd+0x429cb9)
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-0x61d00000c880 is located 0 bytes inside of 2008-byte region [0x61d00000c880,0x61d00000d058)
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-freed by thread T0 here:
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    #0 0x4a3aad in free (/usr/lib/frr/ldpd+0x4a3aad)
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    #1 0x4de6c8 in config_clear /home/sharpd/frr8/ldpd/ldpd.c:2001:2
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    #2 0x55d12d in ldpe_shutdown /home/sharpd/frr8/ldpd/ldpe.c:211:2
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    FRRouting#3 0x55a9a0 in ldpe_dispatch_main /home/sharpd/frr8/ldpd/ldpe.c:631:3
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    FRRouting#4 0x7f0c00c035e6 in thread_call /home/sharpd/frr8/lib/thread.c:2006:2
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    FRRouting#5 0x5586f2 in ldpe /home/sharpd/frr8/ldpd/ldpe.c:138:3
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    FRRouting#6 0x4d46d2 in main /home/sharpd/frr8/ldpd/ldpd.c:339:3
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    FRRouting#7 0x7f0c00476d09 in __libc_start_main csu/../csu/libc-start.c:308:16
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-previously allocated by thread T0 here:
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    #0 0x4a3ea2 in calloc (/usr/lib/frr/ldpd+0x4a3ea2)
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    #1 0x4d6146 in config_new_empty /home/sharpd/frr8/ldpd/ldpd.c:1967:10
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    #2 0x558678 in ldpe /home/sharpd/frr8/ldpd/ldpe.c:134:11
--
./isis_rlfa_topo1.test_isis_rlfa_topo1/rt8.ldpd.asan.2274142-    FRRouting#4 0x7f0c00476d09 in __libc_start_main csu/../csu/libc-start.c:308:16

Signed-off-by: Donald Sharp <sharpd@nvidia.com>
sworleys pushed a commit that referenced this pull request Dec 9, 2022
@donaldsharp
zebra: Cleanup use after free in shutdown
c2270bf 
On shutdown a use after free was being seen of a route table.
Basically the pointer was kept around and resent for cleanup.
Probably something needs to be unwound to make this better
in the future.  Just cleaning up the use after free.

./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929-=================================================================
./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929:==911929==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000127a00 at pc 0x7fb9ad546f5b bp 0x7ffc3cff0330 sp 0x7ffc3
cff0328
./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929-READ of size 8 at 0x606000127a00 thread T0
./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929-    #0 0x7fb9ad546f5a in route_table_free /home/sharpd/frr8/lib/table.c:103:13
./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929-    #1 0x7fb9ad546f04 in route_table_finish /home/sharpd/frr8/lib/table.c:61:2
./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929-    #2 0x6b94ba in zebra_ns_disable_internal /home/sharpd/frr8/zebra/zebra_ns.c:141:2
./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929-    FRRouting#3 0x6b9158 in zebra_ns_disabled /home/sharpd/frr8/zebra/zebra_ns.c:116:9
./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929-    FRRouting#4 0x7fb9ad43f0f5 in ns_disable_internal /home/sharpd/frr8/lib/netns_linux.c:273:4
./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929-    FRRouting#5 0x7fb9ad43e634 in ns_disable /home/sharpd/frr8/lib/netns_linux.c:368:2
./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929-    FRRouting#6 0x7fb9ad43e251 in ns_delete /home/sharpd/frr8/lib/netns_linux.c:330:2
./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929-    FRRouting#7 0x7fb9ad43fbb3 in ns_terminate /home/sharpd/frr8/lib/netns_linux.c:524:3
./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929-    FRRouting#8 0x54f8de in zebra_finalize /home/sharpd/frr8/zebra/main.c:232:2
./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929-    FRRouting#9 0x7fb9ad5655e6 in thread_call /home/sharpd/frr8/lib/thread.c:2006:2
./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929-    FRRouting#10 0x7fb9ad3d3343 in frr_run /home/sharpd/frr8/lib/libfrr.c:1198:3
./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929-    FRRouting#11 0x550b48 in main /home/sharpd/frr8/zebra/main.c:476:2
./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929-    FRRouting#12 0x7fb9acd30d09 in __libc_start_main csu/../csu/libc-start.c:308:16
./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929-    FRRouting#13 0x443549 in _start (/usr/lib/frr/zebra+0x443549)
./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929-
./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929-0x606000127a00 is located 0 bytes inside of 56-byte region [0x606000127a00,0x606000127a38)
./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929-freed by thread T0 here:
./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929-    #0 0x4bd33d in free (/usr/lib/frr/zebra+0x4bd33d)
./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929-    #1 0x7fb9ad42cc80 in qfree /home/sharpd/frr8/lib/memory.c:141:2
./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929-    #2 0x7fb9ad547305 in route_table_free /home/sharpd/frr8/lib/table.c:141:2
./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929-    FRRouting#3 0x7fb9ad546f04 in route_table_finish /home/sharpd/frr8/lib/table.c:61:2
./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929-    FRRouting#4 0x6b94ba in zebra_ns_disable_internal /home/sharpd/frr8/zebra/zebra_ns.c:141:2
./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929-    FRRouting#5 0x6b9692 in zebra_ns_early_shutdown /home/sharpd/frr8/zebra/zebra_ns.c:164:2
./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929-    FRRouting#6 0x7fb9ad43f228 in ns_walk_func /home/sharpd/frr8/lib/netns_linux.c:386:9
./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929-    FRRouting#7 0x55014f in sigint /home/sharpd/frr8/zebra/main.c:194:2
./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929-    FRRouting#8 0x7fb9ad50db99 in frr_sigevent_process /home/sharpd/frr8/lib/sigevent.c:130:6
./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929-    FRRouting#9 0x7fb9ad560d07 in thread_fetch /home/sharpd/frr8/lib/thread.c:1775:4
./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929-    FRRouting#10 0x7fb9ad3d332d in frr_run /home/sharpd/frr8/lib/libfrr.c:1197:9
./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929-    FRRouting#11 0x550b48 in main /home/sharpd/frr8/zebra/main.c:476:2
--
./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929-    FRRouting#7 0x7fb9acd30d09 in __libc_start_main csu/../csu/libc-start.c:308:16
./bfd_vrf_topo1.test_bfd_vrf_topo1/r2.zebra.asan.911929-

Signed-off-by: Donald Sharp <sharpd@nvidia.com>
sworleys pushed a commit that referenced this pull request Dec 9, 2022
@donaldsharp
bgpd: Prevent use after free of peer structure
b242e73 
When changing the peers sockunion structure the bgp->peer
list was not being updated properly.  Since the peer's su
is being used for a sorted insert then the change of it requires
that the value be pulled out of the bgp->peer list and then
put back into as well.

Additionally ensure that the hash is always released on peer
deletion.

Lead to this from this decode in a address sanitizer run.

=================================================================
==30778==ERROR: AddressSanitizer: heap-use-after-free on address 0x62a0000d8440 at pc 0x7f48c9c5c547 bp 0x7ffcba272cb0 sp 0x7ffcba272ca8
READ of size 2 at 0x62a0000d8440 thread T0
    #0 0x7f48c9c5c546 in sockunion_same lib/sockunion.c:425
    #1 0x55cfefe3000f in peer_hash_same bgpd/bgpd.c:890
    #2 0x7f48c9bde039 in hash_release lib/hash.c:209
    FRRouting#3 0x55cfefe3373f in bgp_peer_conf_if_to_su_update bgpd/bgpd.c:1541
    FRRouting#4 0x55cfefd0be7a in bgp_stop bgpd/bgp_fsm.c:1631
    FRRouting#5 0x55cfefe4028f in peer_delete bgpd/bgpd.c:2362
    FRRouting#6 0x55cfefdd5e97 in no_neighbor_interface_config bgpd/bgp_vty.c:4267
    FRRouting#7 0x7f48c9b9d160 in cmd_execute_command_real lib/command.c:949
    FRRouting#8 0x7f48c9ba1112 in cmd_execute_command lib/command.c:1009
    FRRouting#9 0x7f48c9ba1573 in cmd_execute lib/command.c:1162
    FRRouting#10 0x7f48c9c87402 in vty_command lib/vty.c:526
    FRRouting#11 0x7f48c9c87832 in vty_execute lib/vty.c:1291
    FRRouting#12 0x7f48c9c8e741 in vtysh_read lib/vty.c:2130
    FRRouting#13 0x7f48c9c7a66d in thread_call lib/thread.c:1585
    FRRouting#14 0x7f48c9bf64e7 in frr_run lib/libfrr.c:1123
    FRRouting#15 0x55cfefc75a15 in main bgpd/bgp_main.c:540
    FRRouting#16 0x7f48c96b009a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    FRRouting#17 0x55cfefc787f9 in _start (/usr/lib/frr/bgpd+0xe27f9)

0x62a0000d8440 is located 576 bytes inside of 23376-byte region [0x62a0000d8200,0x62a0000ddd50)
freed by thread T0 here:
    #0 0x7f48c9eb9fb0 in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0xe8fb0)
    #1 0x55cfefe3fe42 in peer_free bgpd/bgpd.c:1113
    #2 0x55cfefe3fe42 in peer_unlock_with_caller bgpd/bgpd.c:1144
    FRRouting#3 0x55cfefe4092e in peer_delete bgpd/bgpd.c:2457
    FRRouting#4 0x55cfefdd5e97 in no_neighbor_interface_config bgpd/bgp_vty.c:4267
    FRRouting#5 0x7f48c9b9d160 in cmd_execute_command_real lib/command.c:949
    FRRouting#6 0x7f48c9ba1112 in cmd_execute_command lib/command.c:1009
    FRRouting#7 0x7f48c9ba1573 in cmd_execute lib/command.c:1162
    FRRouting#8 0x7f48c9c87402 in vty_command lib/vty.c:526
    FRRouting#9 0x7f48c9c87832 in vty_execute lib/vty.c:1291
    FRRouting#10 0x7f48c9c8e741 in vtysh_read lib/vty.c:2130
    FRRouting#11 0x7f48c9c7a66d in thread_call lib/thread.c:1585
    FRRouting#12 0x7f48c9bf64e7 in frr_run lib/libfrr.c:1123
    FRRouting#13 0x55cfefc75a15 in main bgpd/bgp_main.c:540
    FRRouting#14 0x7f48c96b009a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)

Signed-off-by: Donald Sharp <sharpd@nvidia.com>
sworleys pushed a commit that referenced this pull request Feb 9, 2023
@donaldsharp
zebra: Fix nexthop group memory leak
478c62e 
Address Sanitizer found this:

=================================================================
==418623==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 128 byte(s) in 4 object(s) allocated from:
    #0 0x4bd732 in calloc (/usr/lib/frr/zebra+0x4bd732)
    #1 0x7feaeab8f798 in qcalloc /home/sharpd/frr8/lib/memory.c:116:27
    #2 0x7feaeaba40f4 in nexthop_group_new /home/sharpd/frr8/lib/nexthop_group.c:270:9
    FRRouting#3 0x56859b in netlink_route_change_read_unicast /home/sharpd/frr8/zebra/rt_netlink.c:950:9
    FRRouting#4 0x5651c2 in netlink_route_change /home/sharpd/frr8/zebra/rt_netlink.c:1204:2
    FRRouting#5 0x54af15 in netlink_information_fetch /home/sharpd/frr8/zebra/kernel_netlink.c:407:10
    FRRouting#6 0x53e7a3 in netlink_parse_info /home/sharpd/frr8/zebra/kernel_netlink.c:1184:12
    FRRouting#7 0x548d46 in kernel_read /home/sharpd/frr8/zebra/kernel_netlink.c:501:2
    FRRouting#8 0x7feaeacc87f6 in thread_call /home/sharpd/frr8/lib/thread.c:2006:2
    FRRouting#9 0x7feaeab36503 in frr_run /home/sharpd/frr8/lib/libfrr.c:1198:3
    FRRouting#10 0x550d38 in main /home/sharpd/frr8/zebra/main.c:476:2
    FRRouting#11 0x7feaea492d09 in __libc_start_main csu/../csu/libc-start.c:308:16

Indirect leak of 576 byte(s) in 4 object(s) allocated from:
    #0 0x4bd732 in calloc (/usr/lib/frr/zebra+0x4bd732)
    #1 0x7feaeab8f798 in qcalloc /home/sharpd/frr8/lib/memory.c:116:27
    #2 0x7feaeab9b3f8 in nexthop_new /home/sharpd/frr8/lib/nexthop.c:373:7
    FRRouting#3 0x56875e in netlink_route_change_read_unicast /home/sharpd/frr8/zebra/rt_netlink.c:960:15
    FRRouting#4 0x5651c2 in netlink_route_change /home/sharpd/frr8/zebra/rt_netlink.c:1204:2
    FRRouting#5 0x54af15 in netlink_information_fetch /home/sharpd/frr8/zebra/kernel_netlink.c:407:10
    FRRouting#6 0x53e7a3 in netlink_parse_info /home/sharpd/frr8/zebra/kernel_netlink.c:1184:12
    FRRouting#7 0x548d46 in kernel_read /home/sharpd/frr8/zebra/kernel_netlink.c:501:2
    FRRouting#8 0x7feaeacc87f6 in thread_call /home/sharpd/frr8/lib/thread.c:2006:2
    FRRouting#9 0x7feaeab36503 in frr_run /home/sharpd/frr8/lib/libfrr.c:1198:3
    FRRouting#10 0x550d38 in main /home/sharpd/frr8/zebra/main.c:476:2
    FRRouting#11 0x7feaea492d09 in __libc_start_main csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: 704 byte(s) leaked in 8 allocation(s).

Fix this!

Signed-off-by: Donald Sharp <sharpd@nvidia.com>
sworleys pushed a commit that referenced this pull request Feb 9, 2023
bgpd: cleanup macip_path_list for remote macip
889360d 
ASAN reported the following memleak:
```
Direct leak of 40 byte(s) in 1 object(s) allocated from:
    #0 0x4d4342 in calloc (/usr/lib/frr/bgpd+0x4d4342)
    #1 0xbc3d68 in qcalloc /home/sharpd/frr8/lib/memory.c:116:27
    #2 0xb869f7 in list_new /home/sharpd/frr8/lib/linklist.c:64:9
    FRRouting#3 0x5a38bc in bgp_evpn_remote_ip_hash_alloc /home/sharpd/frr8/bgpd/bgp_evpn.c:6789:24
    FRRouting#4 0xb358d3 in hash_get /home/sharpd/frr8/lib/hash.c:162:13
    FRRouting#5 0x593d39 in bgp_evpn_remote_ip_hash_add /home/sharpd/frr8/bgpd/bgp_evpn.c:6881:7
    FRRouting#6 0x59dbbd in install_evpn_route_entry_in_vni_common /home/sharpd/frr8/bgpd/bgp_evpn.c:3049:2
    FRRouting#7 0x59cfe0 in install_evpn_route_entry_in_vni_ip /home/sharpd/frr8/bgpd/bgp_evpn.c:3126:8
    FRRouting#8 0x59c6f0 in install_evpn_route_entry /home/sharpd/frr8/bgpd/bgp_evpn.c:3318:8
    FRRouting#9 0x59bb52 in install_uninstall_route_in_vnis /home/sharpd/frr8/bgpd/bgp_evpn.c:3888:10
    FRRouting#10 0x59b6d2 in bgp_evpn_install_uninstall_table /home/sharpd/frr8/bgpd/bgp_evpn.c:4019:5
    FRRouting#11 0x578857 in install_uninstall_evpn_route /home/sharpd/frr8/bgpd/bgp_evpn.c:4051:9
    FRRouting#12 0x58ada6 in bgp_evpn_import_route /home/sharpd/frr8/bgpd/bgp_evpn.c:6049:9
    FRRouting#13 0x713794 in bgp_update /home/sharpd/frr8/bgpd/bgp_route.c:4842:3
    FRRouting#14 0x583fa0 in process_type2_route /home/sharpd/frr8/bgpd/bgp_evpn.c:4518:9
    FRRouting#15 0x5824ba in bgp_nlri_parse_evpn /home/sharpd/frr8/bgpd/bgp_evpn.c:5732:8
    FRRouting#16 0x6ae6a2 in bgp_nlri_parse /home/sharpd/frr8/bgpd/bgp_packet.c:363:10
    FRRouting#17 0x6be6fa in bgp_update_receive /home/sharpd/frr8/bgpd/bgp_packet.c:2020:15
    FRRouting#18 0x6b7433 in bgp_process_packet /home/sharpd/frr8/bgpd/bgp_packet.c:2929:11
    FRRouting#19 0xd00146 in thread_call /home/sharpd/frr8/lib/thread.c:2006:2
```

The list itself was not being cleaned up when the final list entry was
removed, so make sure we do that instead of leaking memory.

Signed-off-by: Trey Aspelund <taspelund@nvidia.com>
sworleys pushed a commit that referenced this pull request Feb 9, 2023
@ton31337
bgpd: Show the real prefix for show bgp detail
9a1aae2 
Absolutely not possible to read the output and even distinguish the prefix
we are looking for.

Before:

```
donatas-pc# show ip bgp detail
BGP table version is 12, local router ID is 192.168.10.17, vrf id 0
Default local pref 100, local AS 65002
Status codes:  s suppressed, d damped, h history, * valid, > best, = multipath,
               i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes:  i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

    Network          Next Hop            Metric LocPrf Weight Path
  65001
    2a02:4780:abc::2 from 2a02:4780:abc::2 (200.200.200.202)
    (fe80::a00:27ff:fe5e:d19e) (used)
      Origin incomplete, metric 0, valid, external, multipath
      Last update: Tue Dec 13 22:53:16 2022
  65001
    192.168.10.124 from 192.168.10.124 (200.200.200.202)
      Origin incomplete, metric 0, valid, external, otc 65001, multipath, best (Neighbor IP)
      Last update: Tue Dec 13 22:53:16 2022
  65001
    2a02:4780:abc::2 from 2a02:4780:abc::2 (200.200.200.202)
    (fe80::a00:27ff:fe5e:d19e) (used)
      Origin IGP, metric 0, valid, external, multipath
      Last update: Tue Dec 13 22:53:16 2022
  65001
    192.168.10.124 from 192.168.10.124 (200.200.200.202)
      Origin IGP, metric 0, valid, external, otc 65001, multipath, best (Neighbor IP)
      Last update: Tue Dec 13 22:53:16 2022
```

After:

```
donatas-pc# show ip bgp detail
BGP table version is 12, local router ID is 192.168.10.17, vrf id 0
Default local pref 100, local AS 65002
BGP routing table entry for 10.0.2.0/24, version 1
Paths: (2 available, best #2, table default)
  Advertised to non peer-group peers:
  2a02:4780:abc::2
  65001
    2a02:4780:abc::2 from 2a02:4780:abc::2 (200.200.200.202)
    (fe80::a00:27ff:fe5e:d19e) (used)
      Origin incomplete, metric 0, valid, external, multipath
      Last update: Tue Dec 13 22:47:16 2022
BGP routing table entry for 10.0.2.0/24, version 1
Paths: (2 available, best #2, table default)
  Advertised to non peer-group peers:
  2a02:4780:abc::2
  65001
    192.168.10.124 from 192.168.10.124 (200.200.200.202)
      Origin incomplete, metric 0, valid, external, otc 65001, multipath, best (Neighbor IP)
      Last update: Tue Dec 13 22:47:16 2022
BGP routing table entry for 10.10.100.0/24, version 2
Paths: (2 available, best #2, table default)
  Advertised to non peer-group peers:
  2a02:4780:abc::2
  65001
    2a02:4780:abc::2 from 2a02:4780:abc::2 (200.200.200.202)
    (fe80::a00:27ff:fe5e:d19e) (used)
      Origin IGP, metric 0, valid, external, multipath
      Last update: Tue Dec 13 22:47:16 2022
```

Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
sworleys pushed a commit that referenced this pull request Feb 9, 2023
@louis-6wind
bgpd: fix show bgp all with evpn
0adc5bb 
Fix crash on "show bgp all" when BGP EVPN is set.

> #0  raise (sig=11) at ../sysdeps/unix/sysv/linux/raise.c:50
> #1  0x00007fdfe03cf53c in core_handler (signo=11, siginfo=0x7ffdebbffe30, context=0x7ffdebbffd00) at lib/sigevent.c:261
> #2  <signal handler called>
> FRRouting#3  0x00000000004d4fec in bgp_attr_get_community (attr=0x41) at bgpd/bgp_attr.h:553
> FRRouting#4  0x00000000004eee84 in bgp_show_table (vty=0x1a790d0, bgp=0x19d0a00, safi=SAFI_EVPN, table=0x19f6010, type=bgp_show_type_normal, output_arg=0x0, rd=0x0, is_last=1, output_cum=0x0,
>     total_cum=0x0, json_header_depth=0x7ffdebc00bf8, show_flags=4, rpki_target_state=RPKI_NOT_BEING_USED) at bgpd/bgp_route.c:11329
> FRRouting#5  0x00000000004f7765 in bgp_show (vty=0x1a790d0, bgp=0x19d0a00, afi=AFI_L2VPN, safi=SAFI_EVPN, type=bgp_show_type_normal, output_arg=0x0, show_flags=4,
>     rpki_target_state=RPKI_NOT_BEING_USED) at bgpd/bgp_route.c:11814
> FRRouting#6  0x00000000004fb53b in show_ip_bgp_magic (self=0x6752b0 <show_ip_bgp_cmd>, vty=0x1a790d0, argc=3, argv=0x19cb050, viewvrfname=0x0, all=0x1395390 "all", aa_nn=0x0, community_list=0,
>     community_list_str=0x0, community_list_name=0x0, as_path_filter_name=0x0, prefix_list=0x0, accesslist_name=0x0, rmap_name=0x0, version=0, version_str=0x0, alias_name=0x0,
>     orr_group_name=0x0, detail_routes=0x0, uj=0x0, detail_json=0x0, wide=0x0) at bgpd/bgp_route.c:13040
> FRRouting#7  0x00000000004fa322 in show_ip_bgp (self=0x6752b0 <show_ip_bgp_cmd>, vty=0x1a790d0, argc=3, argv=0x19cb050) at ./bgpd/bgp_route_clippy.c:519
> FRRouting#8  0x00007fdfe033ccc8 in cmd_execute_command_real (vline=0x19c9300, filter=FILTER_RELAXED, vty=0x1a790d0, cmd=0x0, up_level=0) at lib/command.c:996
> FRRouting#9  0x00007fdfe033c739 in cmd_execute_command (vline=0x19c9300, vty=0x1a790d0, cmd=0x0, vtysh=0) at lib/command.c:1056
> FRRouting#10 0x00007fdfe033cdf5 in cmd_execute (vty=0x1a790d0, cmd=0x19c9eb0 "show bgp all", matched=0x0, vtysh=0) at lib/command.c:1223
> FRRouting#11 0x00007fdfe03f65c6 in vty_command (vty=0x1a790d0, buf=0x19c9eb0 "show bgp all") at lib/vty.c:486
> FRRouting#12 0x00007fdfe03f603b in vty_execute (vty=0x1a790d0) at lib/vty.c:1249
> FRRouting#13 0x00007fdfe03f533b in vtysh_read (thread=0x7ffdebc03838) at lib/vty.c:2148
> FRRouting#14 0x00007fdfe03e815d in thread_call (thread=0x7ffdebc03838) at lib/thread.c:2006
> FRRouting#15 0x00007fdfe0379b54 in frr_run (master=0x1246880) at lib/libfrr.c:1198
> FRRouting#16 0x000000000042b2a8 in main (argc=7, argv=0x7ffdebc03af8) at bgpd/bgp_main.c:520

Link: FRRouting#12576
Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@sworleys