From 6e04e5e69ec5e4a4e2194c6337ad7eb24da08395 Mon Sep 17 00:00:00 2001 From: Philippe Guibert Date: Tue, 29 Oct 2024 22:24:47 +0100 Subject: [PATCH] bgpd: bmp, fix address sanitizer issue The following ASAN error can be seen. > ERROR: AddressSanitizer: attempting to call malloc_usable_size() for pointer which is not owned: 0x608000036c20 > #0 0x7f3d7a4b5425 in __interceptor_malloc_usable_size ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:198 > #1 0x7f3d7a426a16 in __sanitizer::BufferedStackTrace::Unwind(unsigned long, unsigned long, void*, bool, unsigned int) ../../../../src/libsanitizer/sanitizer_common > /sanitizer_stacktrace.h:122 > #2 0x7f3d7a426a16 in __asan::asan_malloc_usable_size(void const*, unsigned long, unsigned long) ../../../../src/libsanitizer/asan/asan_allocator.cpp:1074 > #3 0x7f3d7a03f330 in mt_count_free lib/memory.c:78 > #4 0x7f3d7a03f330 in qfree lib/memory.c:130 > #5 0x7f3d76ccf89b in bmp_peer_status_changed bgpd/bgp_bmp.c:982 > #6 0x560ae2aa6a94 in hook_call_peer_status_changed bgpd/bgp_fsm.c:47 > #7 0x560ae2aa6a94 in bgp_fsm_change_status bgpd/bgp_fsm.c:1287 > #8 0x560ae2c4f2e5 in peer_delete bgpd/bgpd.c:2777 > #9 0x560ae2c58d24 in bgp_delete bgpd/bgpd.c:4140 > #10 0x560ae2bbb47e in no_router_bgp bgpd/bgp_vty.c:1764 > #11 0x7f3d79fb74ed in cmd_execute_command_real lib/command.c:1003 > #12 0x7f3d79fb78a3 in cmd_execute_command lib/command.c:1062 > #13 0x7f3d79fb7e03 in cmd_execute lib/command.c:1228 > #14 0x7f3d7a107b53 in vty_command lib/vty.c:625 > #15 0x7f3d7a109902 in vty_execute lib/vty.c:1388 > #16 0x7f3d7a10cc32 in vtysh_read lib/vty.c:2400 > #17 0x7f3d7a0f848b in event_call lib/event.c:2019 > #18 0x7f3d7a01e627 in frr_run lib/libfrr.c:1232 > #19 0x560ae29e0037 in main bgpd/bgp_main.c:555 > #20 0x7f3d79a29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > #21 0x7f3d79a29e3f in __libc_start_main_impl ../csu/libc-start.c:392 > #22 0x560ae29e4ef4 in _start (/usr/lib/frr/bgpd+0x2eeef4) > > 0x608000036c20 is located 0 bytes inside of 81-byte region [0x608000036c20,0x608000036c71) > freed by thread T0 here: > #0 0x7f3d7a4b4537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127 > #1 0x7f3d76ccf85f in bmp_peer_status_changed bgpd/bgp_bmp.c:981 > #2 0x560ae2aa6a94 in hook_call_peer_status_changed bgpd/bgp_fsm.c:47 > #3 0x560ae2aa6a94 in bgp_fsm_change_status bgpd/bgp_fsm.c:1287 > #4 0x560ae2c4f2e5 in peer_delete bgpd/bgpd.c:2777 > #5 0x560ae2c58d24 in bgp_delete bgpd/bgpd.c:4140 > #6 0x560ae2bbb47e in no_router_bgp bgpd/bgp_vty.c:1764 > #7 0x7f3d79fb74ed in cmd_execute_command_real lib/command.c:1003 > #8 0x7f3d79fb78a3 in cmd_execute_command lib/command.c:1062 > #9 0x7f3d79fb7e03 in cmd_execute lib/command.c:1228 > #10 0x7f3d7a107b53 in vty_command lib/vty.c:625 > #11 0x7f3d7a109902 in vty_execute lib/vty.c:1388 > #12 0x7f3d7a10cc32 in vtysh_read lib/vty.c:2400 > #13 0x7f3d7a0f848b in event_call lib/event.c:2019 > #14 0x7f3d7a01e627 in frr_run lib/libfrr.c:1232 > #15 0x560ae29e0037 in main bgpd/bgp_main.c:555 > #16 0x7f3d79a29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > > previously allocated by thread T0 here: > #0 0x7f3d7a4b4887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 > #1 0x7f3d7a03f0e9 in qmalloc lib/memory.c:101 > #2 0x7f3d76cd0166 in bmp_bgp_peer_vrf bgpd/bgp_bmp.c:2194 > #3 0x7f3d76cd0166 in bmp_bgp_update_vrf_status bgpd/bgp_bmp.c:2236 > #4 0x7f3d76cd29b8 in bmp_vrf_state_changed bgpd/bgp_bmp.c:3479 > #5 0x560ae2c45b34 in hook_call_bgp_instance_state bgpd/bgpd.c:88 > #6 0x560ae2c4d158 in bgp_instance_up bgpd/bgpd.c:3936 > #7 0x560ae29e5ed1 in bgp_vrf_enable bgpd/bgp_main.c:299 > #8 0x7f3d7a0ff8b1 in vrf_enable lib/vrf.c:286 > #9 0x7f3d7a0ff8b1 in vrf_enable lib/vrf.c:275 > #10 0x7f3d7a12ab66 in zclient_vrf_add lib/zclient.c:2561 > #11 0x7f3d7a12eb43 in zclient_read lib/zclient.c:4624 > #12 0x7f3d7a0f848b in event_call lib/event.c:2019 > #13 0x7f3d7a01e627 in frr_run lib/libfrr.c:1232 > #14 0x560ae29e0037 in main bgpd/bgp_main.c:555 > #15 0x7f3d79a29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Signed-off-by: Philippe Guibert --- bgpd/bgp_bmp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/bgpd/bgp_bmp.c b/bgpd/bgp_bmp.c index b1d3f7e81bbb..3b124c4a1887 100644 --- a/bgpd/bgp_bmp.c +++ b/bgpd/bgp_bmp.c @@ -2006,7 +2006,8 @@ static void bmp_bgp_peer_vrf(struct bmp_bgp_peer *bbpeer, struct bgp *bgp) memcpy(bbpeer->open_rx, s->data, open_len); bbpeer->open_tx_len = open_len; - bbpeer->open_tx = bbpeer->open_rx; + bbpeer->open_tx = XMALLOC(MTYPE_BMP_OPEN, open_len); + memcpy(bbpeer->open_tx, s->data, open_len); stream_free(s); }