Mirror/frr

mirror of https://github.com/FRRouting/frr.git synced 2025-04-30 05:27:16 +02:00

The FRRouting Protocol Suite

babel bgp eigrp evpn is-is ldp mpls msdp networking nhrp ospf pbr pim rip ripng routing vrrp

Find a file

Philippe Guibert 02da52d22e bgpd: fix bmp heap use after free on non connected session A heap use after free when enabling bmp mirror on a non connected BMP target. > Apr 22 14:06:49 vRR-DUT systemd[1]: Started bfdd. > Apr 22 14:06:51 vRR-DUT bgpd[1522]: [VTCF0-ZHP6C] bmp: missing TX OPEN message for peer Static announcement > Apr 22 14:06:51 vRR-DUT bgpd[1522]: [K3RM9-4A4HY] bmp: missing RX OPEN message for peer Static announcement > Apr 22 14:06:52 vRR-DUT bgpd[1522]: ================================================================= > Apr 22 14:06:52 vRR-DUT bgpd[1522]: ==1522==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f0000321d0 at pc 0x7fe7f11c548e bp 0x7fff49f80d40 sp 0x7fff49f80d30 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: READ of size 8 at 0x60f0000321d0 thread T0 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #0 0x7fe7f11c548d in typesafe_list_add /build/make-pkg/output/_packages/cp-routing/src/lib/typesafe.h:161 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #1 0x7fe7f11c9347 in bmp_mirrorq_add_tail /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_bmp.c:116 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #2 0x7fe7f11d030f in bmp_mirror_packet /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_bmp.c:867 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #3 0x55c756de3e20 in hook_call_bgp_packet_dump /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_packet.c:55 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #4 0x55c756dfd5ea in bgp_process_packet /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_packet.c:3699 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #5 0x7fe7f5375237 in event_call (/lib/x86_64-linux-gnu/libfrr.so.0+0x375237) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #6 0x7fe7f5242ecf in frr_run (/lib/x86_64-linux-gnu/libfrr.so.0+0x242ecf) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #7 0x55c756c71804 in main /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_main.c:545 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #8 0x7fe7f4c29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #9 0x7fe7f4c29e3f in __libc_start_main_impl ../csu/libc-start.c:392 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #10 0x55c756c6e384 in _start (/usr/bin/bgpd+0x272384) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x60f0000321d0 is located 0 bytes inside of 162-byte region [0x60f0000321d0,0x60f000032272) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: freed by thread T0 here: > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #0 0x7fe7f58b4537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #1 0x7fe7f526f918 in qfree (/lib/x86_64-linux-gnu/libfrr.so.0+0x26f918) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #2 0x7fe7f11d057b in bmp_mirror_packet /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_bmp.c:875 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #3 0x55c756de3e20 in hook_call_bgp_packet_dump /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_packet.c:55 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #4 0x55c756dfd5ea in bgp_process_packet /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_packet.c:3699 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #5 0x7fe7f5375237 in event_call (/lib/x86_64-linux-gnu/libfrr.so.0+0x375237) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #6 0x7fe7f5242ecf in frr_run (/lib/x86_64-linux-gnu/libfrr.so.0+0x242ecf) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #7 0x55c756c71804 in main /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_main.c:545 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #8 0x7fe7f4c29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: previously allocated by thread T0 here: > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #0 0x7fe7f58b4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #1 0x7fe7f526f7c6 in qcalloc (/lib/x86_64-linux-gnu/libfrr.so.0+0x26f7c6) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #2 0x7fe7f11cfd38 in bmp_mirror_packet /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_bmp.c:835 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #3 0x55c756de3e20 in hook_call_bgp_packet_dump /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_packet.c:55 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #4 0x55c756dfd5ea in bgp_process_packet /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_packet.c:3699 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #5 0x7fe7f5375237 in event_call (/lib/x86_64-linux-gnu/libfrr.so.0+0x375237) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #6 0x7fe7f5242ecf in frr_run (/lib/x86_64-linux-gnu/libfrr.so.0+0x242ecf) > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #7 0x55c756c71804 in main /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_main.c:545 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: #8 0x7fe7f4c29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: SUMMARY: AddressSanitizer: heap-use-after-free /build/make-pkg/output/_packages/cp-routing/src/lib/typesafe.h:161 in typesafe_list_add > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Shadow bytes around the buggy address: > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe3e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe3f0: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa 00 00 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe410: 00 00 00 00 fa fa fa fa fa fa fa fa 00 00 00 00 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: =>0x0c1e7fffe430: 00 fa fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe440: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Apr 22 14:06:52 vRR-DUT bgpd[1522]: 0x0c1e7fffe480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Shadow byte legend (one shadow byte represents 8 application bytes): > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Addressable: 00 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Partially addressable: 01 02 03 04 05 06 07 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Heap left redzone: fa > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Freed heap region: fd > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Stack left redzone: f1 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Stack mid redzone: f2 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Stack right redzone: f3 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Stack after return: f5 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Stack use after scope: f8 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Global redzone: f9 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Global init order: f6 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Poisoned by user: f7 > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Container overflow: fc > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Array cookie: ac > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Intra object redzone: bb > Apr 22 14:06:52 vRR-DUT bgpd[1522]: ASan internal: fe > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Left alloca redzone: ca > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Right alloca redzone: cb > Apr 22 14:06:52 vRR-DUT bgpd[1522]: Shadow gap: cc > Apr 22 14:06:52 vRR-DUT bgpd[1522]: ==1522==ABORTING > Apr 22 14:06:52 vRR-DUT yams[449]: CONFIG: [{'name': 'ttyS0'}] > Apr 22 14:06:52 vRR-DUT zebra[652]: [GE156-FS0MJ][EC 100663299] stream_read_try: read failed on fd 50: Connection reset by peer > Apr 22 14:06:52 vRR-DUT systemd[1]: bgpd.service: Main process exited, code=exited, status=1/FAILURE > Apr 22 14:06:52 vRR-DUT zebra[652]: [GE156-FS0MJ][EC 100663299] stream_read_try: read failed on fd 39: Connection reset by peer > Apr 22 14:06:52 vRR-DUT systemd[1]: bgpd.service: Failed with result 'exit-code'. > Apr 22 14:06:52 vRR-DUT zebra[652]: [N5M5Y-J5BPG][EC 4043309121] Client 'bgp' (session id 0) encountered an error and is shutting down. > Apr 22 14:06:52 vRR-DUT systemd[1]: bgpd.service: Consumed 2.361s CPU time. > Apr 22 14:06:52 vRR-DUT zebra[652]: [N5M5Y-J5BPG][EC 4043309121] Client 'bgp' (session id 1) encountered an error and is shutting down. > Apr 22 14:06:52 vRR-DUT zebra[652]: [JPSA8-5KYEA] client 39 disconnected 0 bgp routes removed from the rib > Apr 22 14:06:52 vRR-DUT zebra[652]: [S929C-NZR3N] client 39 disconnected 0 bgp nhgs removed from the rib > Apr 22 14:06:52 vRR-DUT zebra[652]: [KQB7H-NPVW9] /build/make-pkg/output/_packages/cp-routing/src/zebra/zebra_ptm.c:1285 failed to find process pid registration > Apr 22 14:06:52 vRR-DUT zebra[652]: [JPSA8-5KYEA] client 50 disconnected 0 bgp routes removed from the rib > Apr 22 14:06:52 vRR-DUT zebra[652]: [S929C-NZR3N] client 50 disconnected 0 bgp nhgs removed from the rib > Do not enqueue item in the mirror queue if no reference count has been found in the connection list. Fixes: `b1ebe54b29` ("bgpd: bmp, handle imported bgp instances in bmp_mirror") Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>		2025-04-29 09:31:35 +02:00
.github	tests: ci: add ARM to docker based CI test	2025-01-18 01:59:47 +00:00
alpine	docker: Set ABUILD_APK_INDEX_OPTS for frr build	2024-06-14 16:33:32 +03:00
babeld	*: expose and clean up 'noreturn' functions	2025-04-24 13:41:23 -04:00
bfdd	*: expose and clean up 'noreturn' functions	2025-04-24 13:41:23 -04:00
bgpd	bgpd: fix bmp heap use after free on non connected session	2025-04-29 09:31:35 +02:00
debian	Merge pull request #17375 from opensourcerouting/fix/use_pcre2	2024-11-18 12:34:18 -05:00
doc	doc: Document new test dependancy	2025-04-23 13:56:07 -04:00
docker	docker: add ssmping to the the ubuntu docker images	2025-04-23 23:16:59 -04:00
eigrpd	*: expose and clean up 'noreturn' functions	2025-04-24 13:41:23 -04:00
fpm	fpm: guard against garbage in unused address bytes	2025-01-29 16:48:37 +01:00
gdb	lib: add simplified native msg support	2023-12-26 08:34:56 -05:00
grpc	build: throw in a few more `XREF_SETUP`	2024-05-09 18:02:49 +02:00
include	isisd: vlan-subif isis neighbor	2024-08-01 09:09:35 +08:00
isisd	*: Allow returns to work with --enable-undefined-behavior	2025-04-28 14:05:28 -04:00
ldpd	*: Allow returns to work with --enable-undefined-behavior	2025-04-28 14:05:28 -04:00
lib	*: Allow returns to work with --enable-undefined-behavior	2025-04-28 14:05:28 -04:00
m4	m4: Update ax_lua to support Lua 5.4	2025-01-13 14:13:36 +02:00
mgmtd	*: expose and clean up 'noreturn' functions	2025-04-24 13:41:23 -04:00
mlag	build: throw in a few more `XREF_SETUP`	2024-05-09 18:02:49 +02:00
nhrpd	*: expose and clean up 'noreturn' functions	2025-04-24 13:41:23 -04:00
ospf6d	*: expose and clean up 'noreturn' functions	2025-04-24 13:41:23 -04:00
ospfclient	tools,pceplib,ospfclient: clean up variable-shadow warnings	2025-04-08 14:41:27 -04:00
ospfd	*: expose and clean up 'noreturn' functions	2025-04-24 13:41:23 -04:00
pathd	*: Allow returns to work with --enable-undefined-behavior	2025-04-28 14:05:28 -04:00
pbrd	*: expose and clean up 'noreturn' functions	2025-04-24 13:41:23 -04:00
pceplib	tools,pceplib,ospfclient: clean up variable-shadow warnings	2025-04-08 14:41:27 -04:00
pimd	*: expose and clean up 'noreturn' functions	2025-04-24 13:41:23 -04:00
pkgsrc	build: homologize path handling	2024-01-27 19:02:52 +01:00
python	tools: Fix syntax raw parsing for make-foobar helper	2024-11-18 11:04:27 +02:00
qpb	*: add XREF_SETUP() to libraries and utilites	2024-05-02 23:03:08 +02:00
redhat	redhat: Make sure zeromq is always disabled	2025-03-19 13:51:54 +01:00
ripd	*: Allow returns to work with --enable-undefined-behavior	2025-04-28 14:05:28 -04:00
ripngd	*: expose and clean up 'noreturn' functions	2025-04-24 13:41:23 -04:00
sharpd	*: expose and clean up 'noreturn' functions	2025-04-24 13:41:23 -04:00
snapcraft	bfdd: remove control socket obsolete code	2024-07-25 10:37:11 -03:00
staticd	*: expose and clean up 'noreturn' functions	2025-04-24 13:41:23 -04:00
tests	tests: Proper handling of resource allocation	2025-04-28 10:17:31 +05:30
tools	Merge pull request #18628 from raja-rajasekar/rajasekarr/fix_frr_reload_srv6	2025-04-11 17:07:05 +02:00
vrrpd	pbrd,staticd,vrrpd: clean up variable-shadow warnings	2025-04-08 14:41:27 -04:00
vtysh	*: expose and clean up 'noreturn' functions	2025-04-24 13:41:23 -04:00
watchfrr	*: expose and clean up 'noreturn' functions	2025-04-24 13:41:23 -04:00
yang	yang: Fix pyang errors in frr-interface.yang	2025-04-24 12:12:12 +05:30
zebra	Merge pull request #18731 from donaldsharp/no_returns_some_more	2025-04-28 16:53:26 -04:00
.clang-format	*: Modify clang-format column limit to 100	2024-09-26 09:58:32 -04:00
.dockerignore	docker: Make docker image on CentOS 7	2019-11-26 19:29:30 +00:00
.flake8	style: add format checker config that matches FRR style standards	2023-04-18 05:18:26 -04:00
.git-blame-ignore-revs	tools: Add black formatting commit to .git-blame-ignore-revs	2024-04-28 12:50:51 +03:00
.gitignore	python: add tool to expand typesafe definitions	2024-04-29 17:37:49 +02:00
.isort.cfg	style: add format checker config that matches FRR style standards	2023-04-18 05:18:26 -04:00
.pylintrc	tests: add another directory to search path for pylint	2025-03-24 05:10:36 +00:00
.travis.yml	lib: libyang2 add missed conversion	2021-05-17 22:13:59 -04:00
bootstrap.sh	build: turn on automake warnings (& symlinks)	2021-04-21 15:42:37 +02:00
buildtest.sh	build: update packaging & docs for dir changes	2024-01-27 19:01:19 +01:00
config.version.in	build: carry --with-pkg-extra-version into tarballs	2018-10-24 15:11:50 +02:00
configure.ac	build: missing-noreturn warnings are errors	2025-04-24 13:41:23 -04:00
COPYING	*: sort out & explain licenses used in FRR	2023-02-09 12:46:13 +01:00
Makefile.am	build: homologize path handling	2024-01-27 19:02:52 +01:00
README.md	doc: Fix the link that points to Slack invitation in README	2022-03-24 13:13:37 +02:00
stamp-h.in	Initial revision	2002-12-13 20:15:29 +00:00
version.h	build: make builddir include path consistent	2021-04-21 15:42:33 +02:00

README.md

FRRouting

FRR is free software that implements and manages various IPv4 and IPv6 routing protocols. It runs on nearly all distributions of Linux and BSD and supports all modern CPU architectures.

FRR currently supports the following protocols:

BGP
OSPFv2
OSPFv3
RIPv1
RIPv2
RIPng
IS-IS
PIM-SM/MSDP
LDP
BFD
Babel
PBR
OpenFabric
VRRP
EIGRP (alpha)
NHRP (alpha)

Installation & Use

For source tarballs, see the releases page.

For Debian and its derivatives, use the APT repository at https://deb.frrouting.org/.

Instructions on building and installing from source for supported platforms may be found in the developer docs.

Once installed, please refer to the user guide for instructions on use.

Community

The FRRouting email list server is located here and offers the following public lists:

Topic	List
Development	dev@lists.frrouting.org
Users & Operators	frog@lists.frrouting.org
Announcements	announce@lists.frrouting.org

For chat, we currently use Slack. You can join by clicking the "Slack" link under the Participate section of our website.

Contributing

FRR maintains developer's documentation which contains the project workflow and expectations for contributors. Some technical documentation on project internals is also available.

We welcome and appreciate all contributions, no matter how small!

Security

To report security issues, please use our security mailing list:

security [at] lists.frrouting.org