Skip to content

fix idx_word #18

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: frr/7.2
Choose a base branch
from
Open

fix idx_word #18

wants to merge 1 commit into from

Conversation

yangshp1987
Copy link

There is a wrong assignment, when idx_word=1, the entry of access-list WORD [seq (1-4294967295)] <permit|deny> any cannot be deleted.
I fixed.Please review it, thanks.
the wrong output:

log syslog notifications
log facility local4
!
enable password zebra
password zebra
!
access-list acl_entry seq 5 permit any
!
line vty
!
router bgp 300
 neighbor 2.1.1.2 remote-as 200
!
end
sonic(config)# end
sonic# show ip access-list 
ZEBRA:
Zebra IP access list acl_entry
    seq 5 permit any
BGP:
Zebra IP access list acl_entry
    seq 5 permit any
STATIC:
Zebra IP access list acl_entry
    seq 5 permit any
sonic# con t
sonic(config)# no access-list acl_entry seq 5 permit any 
  <cr>  
sonic(config)# no access-list acl_entry seq 5 permit any 
sonic(config)# end
sonic# show ip access-list 
ZEBRA:
Zebra IP access list acl_entry
    seq 5 permit any
BGP:
Zebra IP access list acl_entry
    seq 5 permit any
STATIC:
Zebra IP access list acl_entry
    seq 5 permit any
sonic# show running-config access-list 

log syslog notifications
log facility local4
!
access-list acl_entry seq 5 permit any
!
end

the right output after fixing:
sonic# show ip access-list 
ZEBRA:
BGP:
STATIC:
sonic#

Signed-off-by: yangshiping [email protected]

@yangshp1987
fix idx_word
cf2ba33 
Signed-off-by: yangshiping <[email protected]>
@pavel-shirshov pavel-shirshov self-assigned this Aug 6, 2020
pavel-shirshov pushed a commit that referenced this pull request Nov 17, 2020
@donaldsharp
zebra: Fix use after free in debug path
947097e 
When zebra is running with debugs turned on there
is a use after free reported by the address sanitizer:

2020/10/16 12:58:02 ZEBRA: rib_delnode: (0:254):4.5.6.16/32: rn 0x60b000026f20, re 0x6080000131a0, removing
2020/10/16 12:58:02 ZEBRA: rib_meta_queue_add: (0:254):4.5.6.16/32: queued rn 0x60b000026f20 into sub-queue 3
=================================================================
==3101430==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000011d28 at pc 0x555555705ab6 bp 0x7fffffffdab0 sp 0x7fffffffdaa8
READ of size 8 at 0x608000011d28 thread T0
    #0 0x555555705ab5 in re_list_const_first zebra/rib.h:222
    #1 0x555555705b54 in re_list_first zebra/rib.h:222
    #2 0x555555711a4f in process_subq_route zebra/zebra_rib.c:2248
    #3 0x555555711d2e in process_subq zebra/zebra_rib.c:2286
    #4 0x555555711ec7 in meta_queue_process zebra/zebra_rib.c:2320
    #5 0x7ffff74701f7 in work_queue_run lib/workqueue.c:291
    #6 0x7ffff7450e9c in thread_call lib/thread.c:1581
    #7 0x7ffff738eaf7 in frr_run lib/libfrr.c:1099
    #8 0x55555561a578 in main zebra/main.c:455
    #9 0x7ffff7079cc9 in __libc_start_main ../csu/libc-start.c:308
    #10 0x5555555e3429 in _start (/usr/lib/frr/zebra+0x8f429)
0x608000011d28 is located 8 bytes inside of 88-byte region [0x608000011d20,0x608000011d78)
freed by thread T0 here:
    #0 0x7ffff768bb6f in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.6+0xa9b6f)
    #1 0x7ffff739ccad in qfree lib/memory.c:129
    #2 0x555555709ee4 in rib_gc_dest zebra/zebra_rib.c:746
    #3 0x55555570ca76 in rib_process zebra/zebra_rib.c:1240
    #4 0x555555711a05 in process_subq_route zebra/zebra_rib.c:2245
    #5 0x555555711d2e in process_subq zebra/zebra_rib.c:2286
    #6 0x555555711ec7 in meta_queue_process zebra/zebra_rib.c:2320
    #7 0x7ffff74701f7 in work_queue_run lib/workqueue.c:291
    #8 0x7ffff7450e9c in thread_call lib/thread.c:1581
    #9 0x7ffff738eaf7 in frr_run lib/libfrr.c:1099
    #10 0x55555561a578 in main zebra/main.c:455
    #11 0x7ffff7079cc9 in __libc_start_main ../csu/libc-start.c:308
previously allocated by thread T0 here:
    #0 0x7ffff768c037 in calloc (/lib/x86_64-linux-gnu/libasan.so.6+0xaa037)
    #1 0x7ffff739cb98 in qcalloc lib/memory.c:110
    #2 0x555555712ace in zebra_rib_create_dest zebra/zebra_rib.c:2515
    #3 0x555555712c6c in rib_link zebra/zebra_rib.c:2576
    #4 0x555555712faa in rib_addnode zebra/zebra_rib.c:2607
    #5 0x555555715bf0 in rib_add_multipath_nhe zebra/zebra_rib.c:3012
    #6 0x555555715f56 in rib_add_multipath zebra/zebra_rib.c:3049
    #7 0x55555571788b in rib_add zebra/zebra_rib.c:3327
    #8 0x5555555e584a in connected_up zebra/connected.c:254
    #9 0x5555555e42ff in connected_announce zebra/connected.c:94
    #10 0x5555555e4fd3 in connected_update zebra/connected.c:195
    #11 0x5555555e61ad in connected_add_ipv4 zebra/connected.c:340
    #12 0x5555555f26f5 in netlink_interface_addr zebra/if_netlink.c:1213
    #13 0x55555560f756 in netlink_information_fetch zebra/kernel_netlink.c:350
    #14 0x555555612e49 in netlink_parse_info zebra/kernel_netlink.c:941
    #15 0x55555560f9f1 in kernel_read zebra/kernel_netlink.c:402
    #16 0x7ffff7450e9c in thread_call lib/thread.c:1581
    #17 0x7ffff738eaf7 in frr_run lib/libfrr.c:1099
    #18 0x55555561a578 in main zebra/main.c:455
    #19 0x7ffff7079cc9 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-use-after-free zebra/rib.h:222 in re_list_const_first

This is happening because we are using the dest pointer after a call into
rib_gc_dest.  In process_subq_route, we call rib_process() and if the
dest is deleted dest pointer is now garbage.  We must reload the
dest pointer in this case.

Signed-off-by: Donald Sharp <[email protected]>
dgsudharsan pushed a commit to dgsudharsan/sonic-frr that referenced this pull request Jun 6, 2023
bgpd: cleanup macip_path_list for remote macip
889360d 
ASAN reported the following memleak:
```
Direct leak of 40 byte(s) in 1 object(s) allocated from:
    #0 0x4d4342 in calloc (/usr/lib/frr/bgpd+0x4d4342)
    sonic-net#1 0xbc3d68 in qcalloc /home/sharpd/frr8/lib/memory.c:116:27
    sonic-net#2 0xb869f7 in list_new /home/sharpd/frr8/lib/linklist.c:64:9
    sonic-net#3 0x5a38bc in bgp_evpn_remote_ip_hash_alloc /home/sharpd/frr8/bgpd/bgp_evpn.c:6789:24
    sonic-net#4 0xb358d3 in hash_get /home/sharpd/frr8/lib/hash.c:162:13
    sonic-net#5 0x593d39 in bgp_evpn_remote_ip_hash_add /home/sharpd/frr8/bgpd/bgp_evpn.c:6881:7
    sonic-net#6 0x59dbbd in install_evpn_route_entry_in_vni_common /home/sharpd/frr8/bgpd/bgp_evpn.c:3049:2
    sonic-net#7 0x59cfe0 in install_evpn_route_entry_in_vni_ip /home/sharpd/frr8/bgpd/bgp_evpn.c:3126:8
    sonic-net#8 0x59c6f0 in install_evpn_route_entry /home/sharpd/frr8/bgpd/bgp_evpn.c:3318:8
    sonic-net#9 0x59bb52 in install_uninstall_route_in_vnis /home/sharpd/frr8/bgpd/bgp_evpn.c:3888:10
    sonic-net#10 0x59b6d2 in bgp_evpn_install_uninstall_table /home/sharpd/frr8/bgpd/bgp_evpn.c:4019:5
    sonic-net#11 0x578857 in install_uninstall_evpn_route /home/sharpd/frr8/bgpd/bgp_evpn.c:4051:9
    sonic-net#12 0x58ada6 in bgp_evpn_import_route /home/sharpd/frr8/bgpd/bgp_evpn.c:6049:9
    sonic-net#13 0x713794 in bgp_update /home/sharpd/frr8/bgpd/bgp_route.c:4842:3
    sonic-net#14 0x583fa0 in process_type2_route /home/sharpd/frr8/bgpd/bgp_evpn.c:4518:9
    sonic-net#15 0x5824ba in bgp_nlri_parse_evpn /home/sharpd/frr8/bgpd/bgp_evpn.c:5732:8
    sonic-net#16 0x6ae6a2 in bgp_nlri_parse /home/sharpd/frr8/bgpd/bgp_packet.c:363:10
    sonic-net#17 0x6be6fa in bgp_update_receive /home/sharpd/frr8/bgpd/bgp_packet.c:2020:15
    sonic-net#18 0x6b7433 in bgp_process_packet /home/sharpd/frr8/bgpd/bgp_packet.c:2929:11
    sonic-net#19 0xd00146 in thread_call /home/sharpd/frr8/lib/thread.c:2006:2
```

The list itself was not being cleaned up when the final list entry was
removed, so make sure we do that instead of leaking memory.

Signed-off-by: Trey Aspelund <[email protected]>
marcosfsch pushed a commit to marcosfsch/sonic-frr that referenced this pull request Jan 30, 2024
@Keelan10
pimd: Fix memory leak in PIM interface deletion
24379f0 
This commit ensures proper cleanup by deleting the gm_join_list when a PIM interface is deleted. The gm_join_list was previously not being freed, causing a memory leak.

The ASan leak log for reference:
```
***********************************************************************************
Address Sanitizer Error detected in multicast_mld_join_topo1.test_multicast_mld_local_join/r1.asan.pim6d.28070

=================================================================
==28070==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 40 byte(s) in 1 object(s) allocated from:
    #0 0x7f3605dbfd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28)
    sonic-net#1 0x56230373dd6b in qcalloc lib/memory.c:105
    sonic-net#2 0x56230372180f in list_new lib/linklist.c:49
    sonic-net#3 0x56230361b589 in pim_if_gm_join_add pimd/pim_iface.c:1313
    sonic-net#4 0x562303642247 in lib_interface_gmp_address_family_static_group_create pimd/pim_nb_config.c:2868
    sonic-net#5 0x562303767280 in nb_callback_create lib/northbound.c:1235
    sonic-net#6 0x562303767280 in nb_callback_configuration lib/northbound.c:1579
    sonic-net#7 0x562303768a1d in nb_transaction_process lib/northbound.c:1710
    sonic-net#8 0x56230376904a in nb_candidate_commit_apply lib/northbound.c:1104
    sonic-net#9 0x5623037692ba in nb_candidate_commit lib/northbound.c:1137
    sonic-net#10 0x562303769dec in nb_cli_classic_commit lib/northbound_cli.c:49
    sonic-net#11 0x56230376fb79 in nb_cli_pending_commit_check lib/northbound_cli.c:88
    sonic-net#12 0x5623036c5bcb in cmd_execute_command_real lib/command.c:991
    sonic-net#13 0x5623036c5f1b in cmd_execute_command lib/command.c:1053
    sonic-net#14 0x5623036c6392 in cmd_execute lib/command.c:1221
    sonic-net#15 0x5623037e75da in vty_command lib/vty.c:591
    sonic-net#16 0x5623037e7a74 in vty_execute lib/vty.c:1354
    sonic-net#17 0x5623037f0253 in vtysh_read lib/vty.c:2362
    sonic-net#18 0x5623037db4e8 in event_call lib/event.c:1995
    sonic-net#19 0x562303720f97 in frr_run lib/libfrr.c:1213
    sonic-net#20 0x56230368615d in main pimd/pim6_main.c:184
    sonic-net#21 0x7f360461bc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)

Indirect leak of 192 byte(s) in 4 object(s) allocated from:
    #0 0x7f3605dbfd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28)
    sonic-net#1 0x56230373dd6b in qcalloc lib/memory.c:105
    sonic-net#2 0x56230361b91d in gm_join_new pimd/pim_iface.c:1288
    sonic-net#3 0x56230361b91d in pim_if_gm_join_add pimd/pim_iface.c:1326
    sonic-net#4 0x562303642247 in lib_interface_gmp_address_family_static_group_create pimd/pim_nb_config.c:2868
    sonic-net#5 0x562303767280 in nb_callback_create lib/northbound.c:1235
    sonic-net#6 0x562303767280 in nb_callback_configuration lib/northbound.c:1579
    sonic-net#7 0x562303768a1d in nb_transaction_process lib/northbound.c:1710
    sonic-net#8 0x56230376904a in nb_candidate_commit_apply lib/northbound.c:1104
    sonic-net#9 0x5623037692ba in nb_candidate_commit lib/northbound.c:1137
    sonic-net#10 0x562303769dec in nb_cli_classic_commit lib/northbound_cli.c:49
    sonic-net#11 0x56230376fb79 in nb_cli_pending_commit_check lib/northbound_cli.c:88
    sonic-net#12 0x5623036c5bcb in cmd_execute_command_real lib/command.c:991
    sonic-net#13 0x5623036c5f1b in cmd_execute_command lib/command.c:1053
    sonic-net#14 0x5623036c6392 in cmd_execute lib/command.c:1221
    sonic-net#15 0x5623037e75da in vty_command lib/vty.c:591
    sonic-net#16 0x5623037e7a74 in vty_execute lib/vty.c:1354
    sonic-net#17 0x5623037f0253 in vtysh_read lib/vty.c:2362
    sonic-net#18 0x5623037db4e8 in event_call lib/event.c:1995
    sonic-net#19 0x562303720f97 in frr_run lib/libfrr.c:1213
    sonic-net#20 0x56230368615d in main pimd/pim6_main.c:184
    sonic-net#21 0x7f360461bc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)

Indirect leak of 96 byte(s) in 4 object(s) allocated from:
    #0 0x7f3605dbfd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28)
    sonic-net#1 0x56230373dd6b in qcalloc lib/memory.c:105
    sonic-net#2 0x562303721651 in listnode_new lib/linklist.c:71
    sonic-net#3 0x56230372182b in listnode_add lib/linklist.c:92
    sonic-net#4 0x56230361ba9a in gm_join_new pimd/pim_iface.c:1295
    sonic-net#5 0x56230361ba9a in pim_if_gm_join_add pimd/pim_iface.c:1326
    sonic-net#6 0x562303642247 in lib_interface_gmp_address_family_static_group_create pimd/pim_nb_config.c:2868
    sonic-net#7 0x562303767280 in nb_callback_create lib/northbound.c:1235
    sonic-net#8 0x562303767280 in nb_callback_configuration lib/northbound.c:1579
    sonic-net#9 0x562303768a1d in nb_transaction_process lib/northbound.c:1710
    sonic-net#10 0x56230376904a in nb_candidate_commit_apply lib/northbound.c:1104
    sonic-net#11 0x5623037692ba in nb_candidate_commit lib/northbound.c:1137
    sonic-net#12 0x562303769dec in nb_cli_classic_commit lib/northbound_cli.c:49
    sonic-net#13 0x56230376fb79 in nb_cli_pending_commit_check lib/northbound_cli.c:88
    sonic-net#14 0x5623036c5bcb in cmd_execute_command_real lib/command.c:991
    sonic-net#15 0x5623036c5f1b in cmd_execute_command lib/command.c:1053
    sonic-net#16 0x5623036c6392 in cmd_execute lib/command.c:1221
    sonic-net#17 0x5623037e75da in vty_command lib/vty.c:591
    sonic-net#18 0x5623037e7a74 in vty_execute lib/vty.c:1354
    sonic-net#19 0x5623037f0253 in vtysh_read lib/vty.c:2362
    sonic-net#20 0x5623037db4e8 in event_call lib/event.c:1995
    sonic-net#21 0x562303720f97 in frr_run lib/libfrr.c:1213
    sonic-net#22 0x56230368615d in main pimd/pim6_main.c:184
    sonic-net#23 0x7f360461bc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)

Indirect leak of 48 byte(s) in 1 object(s) allocated from:
    #0 0x7f3605dbfd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28)
    sonic-net#1 0x56230373dd6b in qcalloc lib/memory.c:105
    sonic-net#2 0x56230361b91d in gm_join_new pimd/pim_iface.c:1288
    sonic-net#3 0x56230361b91d in pim_if_gm_join_add pimd/pim_iface.c:1326
    sonic-net#4 0x562303642247 in lib_interface_gmp_address_family_static_group_create pimd/pim_nb_config.c:2868
    sonic-net#5 0x562303767280 in nb_callback_create lib/northbound.c:1235
    sonic-net#6 0x562303767280 in nb_callback_configuration lib/northbound.c:1579
    sonic-net#7 0x562303768a1d in nb_transaction_process lib/northbound.c:1710
    sonic-net#8 0x56230376904a in nb_candidate_commit_apply lib/northbound.c:1104
    sonic-net#9 0x5623037692ba in nb_candidate_commit lib/northbound.c:1137
    sonic-net#10 0x562303769dec in nb_cli_classic_commit lib/northbound_cli.c:49
    sonic-net#11 0x56230376fb79 in nb_cli_pending_commit_check lib/northbound_cli.c:88
    sonic-net#12 0x5623036c5bcb in cmd_execute_command_real lib/command.c:991
    sonic-net#13 0x5623036c5f6f in cmd_execute_command lib/command.c:1072
    sonic-net#14 0x5623036c6392 in cmd_execute lib/command.c:1221
    sonic-net#15 0x5623037e75da in vty_command lib/vty.c:591
    sonic-net#16 0x5623037e7a74 in vty_execute lib/vty.c:1354
    sonic-net#17 0x5623037f0253 in vtysh_read lib/vty.c:2362
    sonic-net#18 0x5623037db4e8 in event_call lib/event.c:1995
    sonic-net#19 0x562303720f97 in frr_run lib/libfrr.c:1213
    sonic-net#20 0x56230368615d in main pimd/pim6_main.c:184
    sonic-net#21 0x7f360461bc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)

Indirect leak of 24 byte(s) in 1 object(s) allocated from:
    #0 0x7f3605dbfd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28)
    sonic-net#1 0x56230373dd6b in qcalloc lib/memory.c:105
    sonic-net#2 0x562303721651 in listnode_new lib/linklist.c:71
    sonic-net#3 0x56230372182b in listnode_add lib/linklist.c:92
    sonic-net#4 0x56230361ba9a in gm_join_new pimd/pim_iface.c:1295
    sonic-net#5 0x56230361ba9a in pim_if_gm_join_add pimd/pim_iface.c:1326
    sonic-net#6 0x562303642247 in lib_interface_gmp_address_family_static_group_create pimd/pim_nb_config.c:2868
    sonic-net#7 0x562303767280 in nb_callback_create lib/northbound.c:1235
    sonic-net#8 0x562303767280 in nb_callback_configuration lib/northbound.c:1579
    sonic-net#9 0x562303768a1d in nb_transaction_process lib/northbound.c:1710
    sonic-net#10 0x56230376904a in nb_candidate_commit_apply lib/northbound.c:1104
    sonic-net#11 0x5623037692ba in nb_candidate_commit lib/northbound.c:1137
    sonic-net#12 0x562303769dec in nb_cli_classic_commit lib/northbound_cli.c:49
    sonic-net#13 0x56230376fb79 in nb_cli_pending_commit_check lib/northbound_cli.c:88
    sonic-net#14 0x5623036c5bcb in cmd_execute_command_real lib/command.c:991
    sonic-net#15 0x5623036c5f6f in cmd_execute_command lib/command.c:1072
    sonic-net#16 0x5623036c6392 in cmd_execute lib/command.c:1221
    sonic-net#17 0x5623037e75da in vty_command lib/vty.c:591
    sonic-net#18 0x5623037e7a74 in vty_execute lib/vty.c:1354
    sonic-net#19 0x5623037f0253 in vtysh_read lib/vty.c:2362
    sonic-net#20 0x5623037db4e8 in event_call lib/event.c:1995
    sonic-net#21 0x562303720f97 in frr_run lib/libfrr.c:1213
    sonic-net#22 0x56230368615d in main pimd/pim6_main.c:184
    sonic-net#23 0x7f360461bc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)

SUMMARY: AddressSanitizer: 400 byte(s) leaked in 11 allocation(s).
***********************************************************************************
```

Signed-off-by: Keelan Cannoo <[email protected]>
marcosfsch pushed a commit to marcosfsch/sonic-frr that referenced this pull request Jan 30, 2024
@donaldsharp
ospf6d: Fix crash because neighbor structure was freed
77e838e 
The loading_done event needs a event pointer to prevent
use after free's.  Testing found this:

    ERROR: AddressSanitizer: heap-use-after-free on address 0x613000035130 at pc 0x55ad42d54e5f bp 0x7ffff1e942a0 sp 0x7ffff1e94290
    READ of size 1 at 0x613000035130 thread T0
        #0 0x55ad42d54e5e in loading_done ospf6d/ospf6_neighbor.c:447
        sonic-net#1 0x55ad42ed7be4 in event_call lib/event.c:1995
        sonic-net#2 0x55ad42e1df75 in frr_run lib/libfrr.c:1213
        sonic-net#3 0x55ad42cf332e in main ospf6d/ospf6_main.c:250
        sonic-net#4 0x7f5798133c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        sonic-net#5 0x55ad42cf2b19 in _start (/usr/lib/frr/ospf6d+0x248b19)

    0x613000035130 is located 48 bytes inside of 384-byte region [0x613000035100,0x613000035280)
    freed by thread T0 here:
        #0 0x7f57998d77a8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8)
        sonic-net#1 0x55ad42e3b4b6 in qfree lib/memory.c:130
        sonic-net#2 0x55ad42d5d049 in ospf6_neighbor_delete ospf6d/ospf6_neighbor.c:180
        sonic-net#3 0x55ad42d1e1ea in interface_down ospf6d/ospf6_interface.c:930
        sonic-net#4 0x55ad42ed7be4 in event_call lib/event.c:1995
        sonic-net#5 0x55ad42ed84fe in _event_execute lib/event.c:2086
        sonic-net#6 0x55ad42d26d7b in ospf6_interface_clear ospf6d/ospf6_interface.c:2847
        sonic-net#7 0x55ad42d73f16 in ospf6_process_reset ospf6d/ospf6_top.c:755
        sonic-net#8 0x55ad42d7e98c in clear_router_ospf6_magic ospf6d/ospf6_top.c:778
        sonic-net#9 0x55ad42d7e98c in clear_router_ospf6 ospf6d/ospf6_top_clippy.c:42
        sonic-net#10 0x55ad42dc2665 in cmd_execute_command_real lib/command.c:994
        sonic-net#11 0x55ad42dc2b32 in cmd_execute_command lib/command.c:1053
        sonic-net#12 0x55ad42dc2fa9 in cmd_execute lib/command.c:1221
        sonic-net#13 0x55ad42ee3cd6 in vty_command lib/vty.c:591
        sonic-net#14 0x55ad42ee4170 in vty_execute lib/vty.c:1354
        sonic-net#15 0x55ad42eec94f in vtysh_read lib/vty.c:2362
        sonic-net#16 0x55ad42ed7be4 in event_call lib/event.c:1995
        sonic-net#17 0x55ad42e1df75 in frr_run lib/libfrr.c:1213
        sonic-net#18 0x55ad42cf332e in main ospf6d/ospf6_main.c:250
        sonic-net#19 0x7f5798133c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)

    previously allocated by thread T0 here:
        #0 0x7f57998d7d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28)
        sonic-net#1 0x55ad42e3ab22 in qcalloc lib/memory.c:105
        sonic-net#2 0x55ad42d5c8ff in ospf6_neighbor_create ospf6d/ospf6_neighbor.c:119
        sonic-net#3 0x55ad42d4c86a in ospf6_hello_recv ospf6d/ospf6_message.c:464
        sonic-net#4 0x55ad42d4c86a in ospf6_read_helper ospf6d/ospf6_message.c:1884
        sonic-net#5 0x55ad42d4c86a in ospf6_receive ospf6d/ospf6_message.c:1925
        sonic-net#6 0x55ad42ed7be4 in event_call lib/event.c:1995
        sonic-net#7 0x55ad42e1df75 in frr_run lib/libfrr.c:1213
        sonic-net#8 0x55ad42cf332e in main ospf6d/ospf6_main.c:250
        sonic-net#9 0x7f5798133c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)

Add an actual event pointer and just track it appropriately.

Signed-off-by: Donald Sharp <[email protected]>
eddieruan-alibaba pushed a commit to eddieruan-alibaba/sonic-frr that referenced this pull request Mar 11, 2025
@pguibert6WIND
bgpd: bmp, fix address sanitizer issue
9e940d4 
The following ASAN error can be seen.

> ERROR: AddressSanitizer: attempting to call malloc_usable_size() for pointer which is not owned: 0x608000036c20
>     #0 0x7f3d7a4b5425 in __interceptor_malloc_usable_size ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:198
>     sonic-net#1 0x7f3d7a426a16 in __sanitizer::BufferedStackTrace::Unwind(unsigned long, unsigned long, void*, bool, unsigned int) ../../../../src/libsanitizer/sanitizer_common
> /sanitizer_stacktrace.h:122
>     sonic-net#2 0x7f3d7a426a16 in __asan::asan_malloc_usable_size(void const*, unsigned long, unsigned long) ../../../../src/libsanitizer/asan/asan_allocator.cpp:1074
>     sonic-net#3 0x7f3d7a03f330 in mt_count_free lib/memory.c:78
>     sonic-net#4 0x7f3d7a03f330 in qfree lib/memory.c:130
>     sonic-net#5 0x7f3d76ccf89b in bmp_peer_status_changed bgpd/bgp_bmp.c:982
>     sonic-net#6 0x560ae2aa6a94 in hook_call_peer_status_changed bgpd/bgp_fsm.c:47
>     sonic-net#7 0x560ae2aa6a94 in bgp_fsm_change_status bgpd/bgp_fsm.c:1287
>     sonic-net#8 0x560ae2c4f2e5 in peer_delete bgpd/bgpd.c:2777
>     sonic-net#9 0x560ae2c58d24 in bgp_delete bgpd/bgpd.c:4140
>     sonic-net#10 0x560ae2bbb47e in no_router_bgp bgpd/bgp_vty.c:1764
>     sonic-net#11 0x7f3d79fb74ed in cmd_execute_command_real lib/command.c:1003
>     sonic-net#12 0x7f3d79fb78a3 in cmd_execute_command lib/command.c:1062
>     sonic-net#13 0x7f3d79fb7e03 in cmd_execute lib/command.c:1228
>     sonic-net#14 0x7f3d7a107b53 in vty_command lib/vty.c:625
>     sonic-net#15 0x7f3d7a109902 in vty_execute lib/vty.c:1388
>     sonic-net#16 0x7f3d7a10cc32 in vtysh_read lib/vty.c:2400
>     sonic-net#17 0x7f3d7a0f848b in event_call lib/event.c:2019
>     sonic-net#18 0x7f3d7a01e627 in frr_run lib/libfrr.c:1232
>     sonic-net#19 0x560ae29e0037 in main bgpd/bgp_main.c:555
>     sonic-net#20 0x7f3d79a29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
>     sonic-net#21 0x7f3d79a29e3f in __libc_start_main_impl ../csu/libc-start.c:392
>     sonic-net#22 0x560ae29e4ef4 in _start (/usr/lib/frr/bgpd+0x2eeef4)
>
> 0x608000036c20 is located 0 bytes inside of 81-byte region [0x608000036c20,0x608000036c71)
> freed by thread T0 here:
>     #0 0x7f3d7a4b4537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
>     sonic-net#1 0x7f3d76ccf85f in bmp_peer_status_changed bgpd/bgp_bmp.c:981
>     sonic-net#2 0x560ae2aa6a94 in hook_call_peer_status_changed bgpd/bgp_fsm.c:47
>     sonic-net#3 0x560ae2aa6a94 in bgp_fsm_change_status bgpd/bgp_fsm.c:1287
>     sonic-net#4 0x560ae2c4f2e5 in peer_delete bgpd/bgpd.c:2777
>     sonic-net#5 0x560ae2c58d24 in bgp_delete bgpd/bgpd.c:4140
>     sonic-net#6 0x560ae2bbb47e in no_router_bgp bgpd/bgp_vty.c:1764
>     sonic-net#7 0x7f3d79fb74ed in cmd_execute_command_real lib/command.c:1003
>     sonic-net#8 0x7f3d79fb78a3 in cmd_execute_command lib/command.c:1062
>     sonic-net#9 0x7f3d79fb7e03 in cmd_execute lib/command.c:1228
>     sonic-net#10 0x7f3d7a107b53 in vty_command lib/vty.c:625
>     sonic-net#11 0x7f3d7a109902 in vty_execute lib/vty.c:1388
>     sonic-net#12 0x7f3d7a10cc32 in vtysh_read lib/vty.c:2400
>     sonic-net#13 0x7f3d7a0f848b in event_call lib/event.c:2019
>     sonic-net#14 0x7f3d7a01e627 in frr_run lib/libfrr.c:1232
>     sonic-net#15 0x560ae29e0037 in main bgpd/bgp_main.c:555
>     sonic-net#16 0x7f3d79a29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
>
> previously allocated by thread T0 here:
>     #0 0x7f3d7a4b4887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
>     sonic-net#1 0x7f3d7a03f0e9 in qmalloc lib/memory.c:101
>     sonic-net#2 0x7f3d76cd0166 in bmp_bgp_peer_vrf bgpd/bgp_bmp.c:2194
>     sonic-net#3 0x7f3d76cd0166 in bmp_bgp_update_vrf_status bgpd/bgp_bmp.c:2236
>     sonic-net#4 0x7f3d76cd29b8 in bmp_vrf_state_changed bgpd/bgp_bmp.c:3479
>     sonic-net#5 0x560ae2c45b34 in hook_call_bgp_instance_state bgpd/bgpd.c:88
>     sonic-net#6 0x560ae2c4d158 in bgp_instance_up bgpd/bgpd.c:3936
>     sonic-net#7 0x560ae29e5ed1 in bgp_vrf_enable bgpd/bgp_main.c:299
>     sonic-net#8 0x7f3d7a0ff8b1 in vrf_enable lib/vrf.c:286
>     sonic-net#9 0x7f3d7a0ff8b1 in vrf_enable lib/vrf.c:275
>     sonic-net#10 0x7f3d7a12ab66 in zclient_vrf_add lib/zclient.c:2561
>     sonic-net#11 0x7f3d7a12eb43 in zclient_read lib/zclient.c:4624
>     sonic-net#12 0x7f3d7a0f848b in event_call lib/event.c:2019
>     sonic-net#13 0x7f3d7a01e627 in frr_run lib/libfrr.c:1232
>     sonic-net#14 0x560ae29e0037 in main bgpd/bgp_main.c:555
>     sonic-net#15 0x7f3d79a29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

Signed-off-by: Philippe Guibert <[email protected]>
eddieruan-alibaba pushed a commit to eddieruan-alibaba/sonic-frr that referenced this pull request Aug 19, 2025
@louis-6wind @pguibert6WIND
zebra: fix heap-after-free on shutdown in netns mode
39f6549 
Seen with bfd_vrf_topo1, and bgp_evpn_rt5 on Ubuntu 22.04 hwe.

Do not call ns_delete() from zebra_vrf_delete(), which calls
zebra_ns_delete().

- If a netns is removed from the system, vrf_delete()->zebra_vrf_delete()
  is called before calling ns_delete() (see zebra_ns_notify.c).
- If zebra is terminating, zebra_ns_final_shutdown() will call
  zebra_vrf_delete().

> ==616172==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160000ae3a4 at pc 0x556cdc178d8f bp 0x7ffe4f41ace0 sp 0x7ffe4f41acd0
> READ of size 4 at 0x6160000ae3a4 thread T0
>     #0 0x556cdc178d8e in ctx_info_from_zns zebra/zebra_dplane.c:3394
>     sonic-net#1 0x556cdc178f55 in dplane_ctx_ns_init zebra/zebra_dplane.c:3410
>     sonic-net#2 0x556cdc17b829 in dplane_ctx_nexthop_init zebra/zebra_dplane.c:3759
>     sonic-net#3 0x556cdc18095f in dplane_nexthop_update_internal zebra/zebra_dplane.c:4566
>     sonic-net#4 0x556cdc1813f1 in dplane_nexthop_delete zebra/zebra_dplane.c:4793
>     sonic-net#5 0x556cdc229234 in zebra_nhg_uninstall_kernel zebra/zebra_nhg.c:3484
>     sonic-net#6 0x556cdc21f8fe in zebra_nhg_decrement_ref zebra/zebra_nhg.c:1804
>     sonic-net#7 0x556cdc24b05a in route_entry_update_nhe zebra/zebra_rib.c:456
>     sonic-net#8 0x556cdc255083 in rib_re_nhg_free zebra/zebra_rib.c:2633
>     sonic-net#9 0x556cdc25e3bb in rib_unlink zebra/zebra_rib.c:4049
>     sonic-net#10 0x556cdc24c9b0 in zebra_rtable_node_cleanup zebra/zebra_rib.c:903
>     sonic-net#11 0x7fb25c173144 in route_node_free lib/table.c:75
>     sonic-net#12 0x7fb25c17337f in route_table_free lib/table.c:111
>     sonic-net#13 0x7fb25c172fe4 in route_table_finish lib/table.c:46
>     sonic-net#14 0x556cdc266f62 in zebra_router_free_table zebra/zebra_router.c:191
>     sonic-net#15 0x556cdc2673ef in zebra_router_terminate zebra/zebra_router.c:243
>     sonic-net#16 0x556cdc10638b in zebra_finalize zebra/main.c:240
>     sonic-net#17 0x7fb25c18e012 in event_call lib/event.c:2019
>     sonic-net#18 0x7fb25c04afc6 in frr_run lib/libfrr.c:1247
>     sonic-net#19 0x556cdc106deb in main zebra/main.c:543
>     sonic-net#20 0x7fb25ba29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
>     sonic-net#21 0x7fb25ba29e3f in __libc_start_main_impl ../csu/libc-start.c:392
>     sonic-net#22 0x556cdc0c7ed4 in _start (/usr/lib/frr/zebra+0x192ed4)
>
> 0x6160000ae3a4 is located 36 bytes inside of 592-byte region [0x6160000ae380,0x6160000ae5d0)
> freed by thread T0 here:
>     #0 0x7fb25c6b4537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
>     sonic-net#1 0x7fb25c0790e3 in qfree lib/memory.c:131
>     sonic-net#2 0x556cdc22d9c9 in zebra_ns_delete zebra/zebra_ns.c:261
>     sonic-net#3 0x7fb25c0ac400 in ns_delete lib/netns_linux.c:319
>     sonic-net#4 0x556cdc28026a in zebra_vrf_delete zebra/zebra_vrf.c:343
>     sonic-net#5 0x7fb25c197443 in vrf_delete lib/vrf.c:282
>     sonic-net#6 0x7fb25c1987e8 in vrf_terminate_single lib/vrf.c:601
>     sonic-net#7 0x7fb25c197a7a in vrf_iterate lib/vrf.c:394
>     sonic-net#8 0x7fb25c198834 in vrf_terminate lib/vrf.c:609
>     sonic-net#9 0x556cdc106345 in zebra_finalize zebra/main.c:223
>     sonic-net#10 0x7fb25c18e012 in event_call lib/event.c:2019
>     sonic-net#11 0x7fb25c04afc6 in frr_run lib/libfrr.c:1247
>     sonic-net#12 0x556cdc106deb in main zebra/main.c:543
>     sonic-net#13 0x7fb25ba29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
>
> previously allocated by thread T0 here:
>     #0 0x7fb25c6b4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
>     sonic-net#1 0x7fb25c078f91 in qcalloc lib/memory.c:106
>     sonic-net#2 0x556cdc22d6a1 in zebra_ns_new zebra/zebra_ns.c:231
>     sonic-net#3 0x556cdc22e30b in zebra_ns_init zebra/zebra_ns.c:429
>     sonic-net#4 0x556cdc106cec in main zebra/main.c:480
>     sonic-net#5 0x7fb25ba29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
>
> SUMMARY: AddressSanitizer: heap-use-after-free zebra/zebra_dplane.c:3394 in ctx_info_from_zns

Signed-off-by: Louis Scalbert <[email protected]>
Signed-off-by: Philippe Guibert <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@pavel-shirshov pavel-shirshov

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@yangshp1987 @pavel-shirshov