Skip to content

Commit

Permalink
bgpd: bmp, fix address sanitizer issue
Browse files Browse the repository at this point in the history
The following ASAN error can be seen.

> ERROR: AddressSanitizer: attempting to call malloc_usable_size() for pointer which is not owned: 0x608000036c20
>     #0 0x7f3d7a4b5425 in __interceptor_malloc_usable_size ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:198
>     #1 0x7f3d7a426a16 in __sanitizer::BufferedStackTrace::Unwind(unsigned long, unsigned long, void*, bool, unsigned int) ../../../../src/libsanitizer/sanitizer_common
> /sanitizer_stacktrace.h:122
>     #2 0x7f3d7a426a16 in __asan::asan_malloc_usable_size(void const*, unsigned long, unsigned long) ../../../../src/libsanitizer/asan/asan_allocator.cpp:1074
>     #3 0x7f3d7a03f330 in mt_count_free lib/memory.c:78
>     #4 0x7f3d7a03f330 in qfree lib/memory.c:130
>     #5 0x7f3d76ccf89b in bmp_peer_status_changed bgpd/bgp_bmp.c:982
>     #6 0x560ae2aa6a94 in hook_call_peer_status_changed bgpd/bgp_fsm.c:47
>     #7 0x560ae2aa6a94 in bgp_fsm_change_status bgpd/bgp_fsm.c:1287
>     #8 0x560ae2c4f2e5 in peer_delete bgpd/bgpd.c:2777
>     #9 0x560ae2c58d24 in bgp_delete bgpd/bgpd.c:4140
>     #10 0x560ae2bbb47e in no_router_bgp bgpd/bgp_vty.c:1764
>     #11 0x7f3d79fb74ed in cmd_execute_command_real lib/command.c:1003
>     #12 0x7f3d79fb78a3 in cmd_execute_command lib/command.c:1062
>     #13 0x7f3d79fb7e03 in cmd_execute lib/command.c:1228
>     #14 0x7f3d7a107b53 in vty_command lib/vty.c:625
>     #15 0x7f3d7a109902 in vty_execute lib/vty.c:1388
>     #16 0x7f3d7a10cc32 in vtysh_read lib/vty.c:2400
>     #17 0x7f3d7a0f848b in event_call lib/event.c:2019
>     #18 0x7f3d7a01e627 in frr_run lib/libfrr.c:1232
>     #19 0x560ae29e0037 in main bgpd/bgp_main.c:555
>     #20 0x7f3d79a29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
>     #21 0x7f3d79a29e3f in __libc_start_main_impl ../csu/libc-start.c:392
>     #22 0x560ae29e4ef4 in _start (/usr/lib/frr/bgpd+0x2eeef4)
>
> 0x608000036c20 is located 0 bytes inside of 81-byte region [0x608000036c20,0x608000036c71)
> freed by thread T0 here:
>     #0 0x7f3d7a4b4537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
>     #1 0x7f3d76ccf85f in bmp_peer_status_changed bgpd/bgp_bmp.c:981
>     #2 0x560ae2aa6a94 in hook_call_peer_status_changed bgpd/bgp_fsm.c:47
>     #3 0x560ae2aa6a94 in bgp_fsm_change_status bgpd/bgp_fsm.c:1287
>     #4 0x560ae2c4f2e5 in peer_delete bgpd/bgpd.c:2777
>     #5 0x560ae2c58d24 in bgp_delete bgpd/bgpd.c:4140
>     #6 0x560ae2bbb47e in no_router_bgp bgpd/bgp_vty.c:1764
>     #7 0x7f3d79fb74ed in cmd_execute_command_real lib/command.c:1003
>     #8 0x7f3d79fb78a3 in cmd_execute_command lib/command.c:1062
>     #9 0x7f3d79fb7e03 in cmd_execute lib/command.c:1228
>     #10 0x7f3d7a107b53 in vty_command lib/vty.c:625
>     #11 0x7f3d7a109902 in vty_execute lib/vty.c:1388
>     #12 0x7f3d7a10cc32 in vtysh_read lib/vty.c:2400
>     #13 0x7f3d7a0f848b in event_call lib/event.c:2019
>     #14 0x7f3d7a01e627 in frr_run lib/libfrr.c:1232
>     #15 0x560ae29e0037 in main bgpd/bgp_main.c:555
>     #16 0x7f3d79a29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
>
> previously allocated by thread T0 here:
>     #0 0x7f3d7a4b4887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
>     #1 0x7f3d7a03f0e9 in qmalloc lib/memory.c:101
>     #2 0x7f3d76cd0166 in bmp_bgp_peer_vrf bgpd/bgp_bmp.c:2194
>     #3 0x7f3d76cd0166 in bmp_bgp_update_vrf_status bgpd/bgp_bmp.c:2236
>     #4 0x7f3d76cd29b8 in bmp_vrf_state_changed bgpd/bgp_bmp.c:3479
>     #5 0x560ae2c45b34 in hook_call_bgp_instance_state bgpd/bgpd.c:88
>     #6 0x560ae2c4d158 in bgp_instance_up bgpd/bgpd.c:3936
>     #7 0x560ae29e5ed1 in bgp_vrf_enable bgpd/bgp_main.c:299
>     #8 0x7f3d7a0ff8b1 in vrf_enable lib/vrf.c:286
>     #9 0x7f3d7a0ff8b1 in vrf_enable lib/vrf.c:275
>     #10 0x7f3d7a12ab66 in zclient_vrf_add lib/zclient.c:2561
>     #11 0x7f3d7a12eb43 in zclient_read lib/zclient.c:4624
>     #12 0x7f3d7a0f848b in event_call lib/event.c:2019
>     #13 0x7f3d7a01e627 in frr_run lib/libfrr.c:1232
>     #14 0x560ae29e0037 in main bgpd/bgp_main.c:555
>     #15 0x7f3d79a29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
  • Loading branch information
pguibert6WIND committed Dec 30, 2024
1 parent 8d8f73e commit 9e940d4
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion bgpd/bgp_bmp.c
Original file line number Diff line number Diff line change
Expand Up @@ -2017,7 +2017,8 @@ static void bmp_bgp_peer_vrf(struct bmp_bgp_peer *bbpeer, struct bgp *bgp)
memcpy(bbpeer->open_rx, s->data, open_len);

bbpeer->open_tx_len = open_len;
bbpeer->open_tx = bbpeer->open_rx;
bbpeer->open_tx = XMALLOC(MTYPE_BMP_OPEN, open_len);
memcpy(bbpeer->open_tx, s->data, open_len);

stream_free(s);
}
Expand Down

0 comments on commit 9e940d4

Please sign in to comment.