Merge frr 10.0.1 changes to sonic frr/10.0.1 branch #39
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This fixes the initial implementation of commit 7743f2f ("OSPFd: Update Segment Routing PR following review") where it wsa not possible to remove the "segment-routing node-msd" CLI nodes via vtysh once segment-routing got disabled. Closes #14910 Signed-off-by: Christian Breunig <[email protected]>
frr-reload.py will walk through all config contexts and prepend no to the CLI command. This requires that the vtysh shell code accepts a full command. To Reproduce vtysh -c "conf t" -c "router ospf" -c "router-info area" vtysh -c "conf t" -c "router ospf" -c "no router-info area" % Unknown command: no router-info area vtysh -c "conf t" -c "router ospf" -c "no router-info" Signed-off-by: Christian Breunig <[email protected]>
ospfd: add support for "no router-info [<area|as>] command"
ospfd: can not delete "segment-routing node-msd" when SR if off
pimd: re-evaluated S,G OILs upon RP changes and empty SG upstream oils
```
struct bgp_adj_out {
struct rb_entry adj_entry; /* 0 32 */
/* XXX last struct has 4 bytes of padding */
struct update_subgroup * subgroup; /* 32 8 */
struct {
struct bgp_adj_out * tqe_next; /* 40 8 */
struct bgp_adj_out * * tqe_prev; /* 48 8 */
} subgrp_adj_train; /* 40 16 */
struct bgp_dest * dest; /* 56 8 */
/* --- cacheline 1 boundary (64 bytes) --- */
uint32_t addpath_tx_id; /* 64 4 */
uint32_t attr_hash; /* 68 4 */
struct attr * attr; /* 72 8 */
struct bgp_advertise * adv; /* 80 8 */
/* size: 88, cachelines: 2, members: 8 */
/* paddings: 1, sum paddings: 4 */
/* last cacheline: 24 bytes */
}; /* saved 8 bytes! */
```
Signed-off-by: Donatas Abraitis <[email protected]>
```
struct ecommunity {
long unsigned int refcnt; /* 0 8 */
uint8_t unit_size; /* 8 1 */
_Bool disable_ieee_floating; /* 9 1 */
/* XXX 2 bytes hole, try to pack */
uint32_t size; /* 12 4 */
uint8_t * val; /* 16 8 */
char * str; /* 24 8 */
/* size: 32, cachelines: 1, members: 6 */
/* sum members: 30, holes: 1, sum holes: 2 */
/* last cacheline: 32 bytes */
}; /* saved 8 bytes! */
```
Signed-off-by: Donatas Abraitis <[email protected]>
```
struct bgp_nexthop_cache {
afi_t afi; /* 0 4 */
ifindex_t ifindex_ipv6_ll; /* 4 4 */
struct bgp_nexthop_cache_item entry; /* 8 32 */
uint32_t metric; /* 40 4 */
uint8_t nexthop_num; /* 44 1 */
_Bool is_evpn_gwip_nexthop; /* 45 1 */
uint16_t change_flags; /* 46 2 */
struct nexthop * nexthop; /* 48 8 */
time_t last_update; /* 56 8 */
/* --- cacheline 1 boundary (64 bytes) --- */
uint16_t flags; /* 64 2 */
/* XXX 2 bytes hole, try to pack */
uint32_t srte_color; /* 68 4 */
struct bgp_nexthop_cache_head * tree; /* 72 8 */
struct prefix prefix __attribute__((__aligned__(8))); /* 80 56 */
/* --- cacheline 2 boundary (128 bytes) was 8 bytes ago --- */
void * nht_info; /* 136 8 */
struct path_list paths; /* 144 8 */
unsigned int path_count; /* 152 4 */
/* XXX 4 bytes hole, try to pack */
struct bgp * bgp; /* 160 8 */
/* size: 168, cachelines: 3, members: 17 */
/* sum members: 162, holes: 2, sum holes: 6 */
/* forced alignments: 1 */
/* last cacheline: 40 bytes */
} __attribute__((__aligned__(8))); /* saved 16 bytes! */
```
Signed-off-by: Donatas Abraitis <[email protected]>
```
struct peer_connection {
struct peer * peer; /* 0 8 */
enum bgp_fsm_status status; /* 8 4 */
enum bgp_fsm_status ostatus; /* 12 4 */
int fd; /* 16 4 */
uint32_t thread_flags; /* 20 4 */
pthread_mutex_t io_mtx; /* 24 40 */
/* --- cacheline 1 boundary (64 bytes) --- */
struct stream_fifo * ibuf; /* 64 8 */
struct stream_fifo * obuf; /* 72 8 */
struct ringbuf * ibuf_work; /* 80 8 */
struct event * t_read; /* 88 8 */
struct event * t_write; /* 96 8 */
struct event * t_connect; /* 104 8 */
struct event * t_delayopen; /* 112 8 */
struct event * t_start; /* 120 8 */
/* --- cacheline 2 boundary (128 bytes) --- */
struct event * t_holdtime; /* 128 8 */
struct event * t_connect_check_r; /* 136 8 */
struct event * t_connect_check_w; /* 144 8 */
struct event * t_gr_restart; /* 152 8 */
struct event * t_gr_stale; /* 160 8 */
struct event * t_generate_updgrp_packets; /* 168 8 */
struct event * t_pmax_restart; /* 176 8 */
struct event * t_routeadv; /* 184 8 */
/* --- cacheline 3 boundary (192 bytes) --- */
struct event * t_process_packet; /* 192 8 */
struct event * t_process_packet_error; /* 200 8 */
union sockunion su; /* 208 128 */
/* size: 336, cachelines: 6, members: 25 */
/* last cacheline: 16 bytes */
}; /* saved 8 bytes! */
```
Signed-off-by: Donatas Abraitis <[email protected]>
Include gtsm_hops (minttl) field when copying peer structure, so that a new connection could set a proper value. Signed-off-by: Alexander Skorichenko <[email protected]>
Check that leaks of a route with a recursive nexthop is possible. Signed-off-by: Louis Scalbert <[email protected]>
Leaked recursive routes are not resolved. > VRF r1-cust1: > B> 5.1.0.0/24 [200/98] via 99.0.0.1 (recursive), weight 1, 00:00:08 > * via 192.168.1.2, r1-eth4, weight 1, 00:00:08 > B>* 99.0.0.1/32 [200/0] via 192.168.1.2, r1-eth4, weight 1, 00:00:08 > VRF r1-cust4: > B 5.1.0.0/24 [20/98] via 99.0.0.1 (vrf r1-cust1) inactive, weight 1, 00:00:08 > B>* 99.0.0.1/32 [20/0] via 192.168.1.2, r1-eth4 (vrf r1-cust1), weight 1, 00:00:08 When announcing the routes to zebra, use the peer of the ultimate bgp path info instead of the one of the first parent path info to determine whether the route is recursive. The result is: > VRF r1-cust4: > B> 5.1.0.0/24 [20/98] via 99.0.0.1 (vrf r1-cust1) (recursive), weight 1, 00:00:02 > * via 192.168.1.2, r1-eth4 (vrf r1-cust1), weight 1, 00:00:02 > B>* 99.0.0.1/32 [20/0] via 192.168.1.2, r1-eth4 (vrf r1-cust1), weight 1, 00:00:02 Signed-off-by: Louis Scalbert <[email protected]>
While checking the code, we can notice that they are already converted. Suggested-by: Igor Ryzhov <[email protected]> Signed-off-by: Vincent Jardin <[email protected]>
Current code assumes that notification is always sent in stripped JSON format and therefore notification xpath starts at the third symbol of notification data. Assuming JSON is more or less fine, because this representation is internal to FRR, but the assumption about the xpath is wrong, because it won't work for not top-level notifications. YANG allows to define notification as a child for some data node deep into the tree and in this case notification data contains not only the notification node itself, but also all its parents. To fix the issue, parse the notification data and get its xpath from its schema node. Signed-off-by: Igor Ryzhov <[email protected]>
mgmtd: ripng, libs fully converted
In `qpb.h` we have a bunch of functions that make use of `union g_addr`. `union g_addr` is defined in `nexthop.h`, which actually is NOT included in `qpb.h`. Let's add the missing `#include nexthop.h`. Signed-off-by: Carmine Scarpitta <[email protected]>
qpb: Add missing `#include nexthop.h`
Currently, YANG notification processing is done using a special type of callbacks registered in backend clients. In this commit, we start using regular northbound infrastructure instead, because it already has a convenient way of registering xpath-specific callbacks without the need for creating additional structures for each necessary notification. We also now pass a notification data to the callback, instead of a plain JSON. This allows to use regular YANG library functions for inspecting notification fields, instead of manually parsing the JSON. Signed-off-by: Igor Ryzhov <[email protected]>
Signed-off-by: Igor Ryzhov <[email protected]>
bgpd: fix minttl copying during peer reset
build: fix configure output
…ions Some more memory optimizations
Fix and rework YANG notifications
Signed-off-by: Christian Hopps <[email protected]>
Signed-off-by: Christian Hopps <[email protected]>
Instead of output bulk of data with json output, prepare json context to decode opaque TLVs and sub-TLVs. Signed-off-by: Olivier Dugeon <[email protected]>
When dumping ospf database with json output, decode Traffic Engineering TLVs and sub-TLVs. Signed-off-by: Olivier Dugeon <[email protected]>
When dumping ospf database with json output, decode Router Information TLVs and sub-TLVs. Signed-off-by: Olivier Dugeon <[email protected]>
When dumping ospf database with json output, decode Extended Link and Extended Prefix TLVs and sub-TLVs. Signed-off-by: Olivier Dugeon <[email protected]>
Following new json decoder for Opaque LSA, this patch adapts the ospfapiclient test to the new json output. Signed-off-by: Olivier Dugeon <[email protected]>
bgpd: Fix `match peer` when switching between IPv4/IPv6/interface (backport #16022)
bgpd: Fix logging message when receiving a software version capability (backport #16033)
Currently zebra does not deny the routes if `ip protocol <proto> route-map FOO` commmand is configured with reference to an undefined route-map (FOO in this case). However, on FRR restart, in zebra_route_map_check() routes get denied if route-map name is available but the route-map is not defined. This change was introduced in fd303a4. Fix: When `ip protocol <proto> route-map FOO` CLI is configured with reference to an undefined route-map FOO, let the processing in ip_protocol_rm_add() and ip_protocol_rm_del() go through so that zebra can deny the routes instead of simply returning. This will result in consistent behavior. Testing Done: Before fix: ``` spine-1# configure spine-1(config)# ip protocol bgp route-map rmap7 root@spine-1:mgmt:/var/home/cumulus# vtysh -c "show run" | grep rmap7 ip protocol bgp route-map rmap7 root@spine-1:mgmt:/var/home/cumulus# spine-1(config)# do show ip route Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, T - Table, A - Babel, D - SHARP, F - PBR, f - OpenFabric, Z - FRR, > - selected route, * - FIB route, q - queued, r - rejected, b - backup t - trapped, o - offload failure C>* 27.0.0.1/32 is directly connected, lo, 02:27:45 B>* 27.0.0.3/32 [20/0] via fe80::202:ff:fe00:21, downlink_1, weight 1, 02:27:35 B>* 27.0.0.4/32 [20/0] via fe80::202:ff:fe00:29, downlink_2, weight 1, 02:27:40 B>* 27.0.0.5/32 [20/0] via fe80::202:ff:fe00:31, downlink_3, weight 1, 02:27:40 B>* 27.0.0.6/32 [20/0] via fe80::202:ff:fe00:39, downlink_4, weight 1, 02:27:40 ``` After fix: ``` spine-1(config)# ip protocol bgp route-map route-map67 spine-1(config)# do show ip route Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, T - Table, A - Babel, D - SHARP, F - PBR, f - OpenFabric, Z - FRR, > - selected route, * - FIB route, q - queued, r - rejected, b - backup t - trapped, o - offload failure C>* 27.0.0.1/32 is directly connected, lo, 00:35:03 B 27.0.0.3/32 [20/0] via fe80::202:ff:fe00:21, downlink_1 inactive, weight 1, 00:34:58 B 27.0.0.4/32 [20/0] via fe80::202:ff:fe00:29, downlink_2 inactive, weight 1, 00:34:57 B 27.0.0.5/32 [20/0] via fe80::202:ff:fe00:31, downlink_3 inactive, weight 1, 00:34:57 B 27.0.0.6/32 [20/0] via fe80::202:ff:fe00:39, downlink_4 inactive, weight 1, 00:34:58 spine-1(config)# root@spine-1:mgmt:/var/home/cumulus# ip route show root@spine-1:mgmt:/var/home/cumulus# ``` Signed-off-by: Pooja Jagadeesh Doijode <[email protected]> (cherry picked from commit 705e8ef78f84dea3af5943a74571f968ad076c8d)
zebra: Deny the routes if ip protocol CLI refers to an undefined rmap (backport #16032)
> ==2334217==ERROR: AddressSanitizer: heap-use-after-free on address 0x61000001d0a0 at pc 0x563828c8de6f bp 0x7fffbdaee560 sp 0x7fffbdaee558 > READ of size 1 at 0x61000001d0a0 thread T0 > #0 0x563828c8de6e in prefix_sid_cmp isisd/isis_spf.c:187 > #1 0x7f84b8204f71 in hash_get lib/hash.c:142 > #2 0x7f84b82055ec in hash_lookup lib/hash.c:184 > #3 0x563828c8e185 in isis_spf_prefix_sid_lookup isisd/isis_spf.c:209 > #4 0x563828c90642 in isis_spf_add2tent isisd/isis_spf.c:598 > #5 0x563828c91cd0 in process_N isisd/isis_spf.c:824 > #6 0x563828c93852 in isis_spf_process_lsp isisd/isis_spf.c:1041 > #7 0x563828c98dde in isis_spf_loop isisd/isis_spf.c:1821 > #8 0x563828c998de in isis_run_spf isisd/isis_spf.c:1983 > #9 0x563828c99c7b in isis_run_spf_with_protection isisd/isis_spf.c:2009 > #10 0x563828c9a60d in isis_run_spf_cb isisd/isis_spf.c:2090 > #11 0x7f84b835c72d in event_call lib/event.c:2011 > #12 0x7f84b8236d93 in frr_run lib/libfrr.c:1217 > #13 0x563828c21918 in main isisd/isis_main.c:346 > #14 0x7f84b7e4fd09 in __libc_start_main ../csu/libc-start.c:308 > #15 0x563828c20df9 in _start (/usr/lib/frr/isisd+0xf5df9) > > 0x61000001d0a0 is located 96 bytes inside of 184-byte region [0x61000001d040,0x61000001d0f8) > freed by thread T0 here: > #0 0x7f84b88a9b6f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:123 > #1 0x7f84b8263bae in qfree lib/memory.c:130 > #2 0x563828c8e433 in isis_vertex_del isisd/isis_spf.c:249 > #3 0x563828c91c95 in process_N isisd/isis_spf.c:811 > #4 0x563828c93852 in isis_spf_process_lsp isisd/isis_spf.c:1041 > #5 0x563828c98dde in isis_spf_loop isisd/isis_spf.c:1821 > #6 0x563828c998de in isis_run_spf isisd/isis_spf.c:1983 > #7 0x563828c99c7b in isis_run_spf_with_protection isisd/isis_spf.c:2009 > #8 0x563828c9a60d in isis_run_spf_cb isisd/isis_spf.c:2090 > #9 0x7f84b835c72d in event_call lib/event.c:2011 > #10 0x7f84b8236d93 in frr_run lib/libfrr.c:1217 > #11 0x563828c21918 in main isisd/isis_main.c:346 > #12 0x7f84b7e4fd09 in __libc_start_main ../csu/libc-start.c:308 > > previously allocated by thread T0 here: > #0 0x7f84b88aa037 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 > #1 0x7f84b8263a6c in qcalloc lib/memory.c:105 > #2 0x563828c8e262 in isis_vertex_new isisd/isis_spf.c:225 > #3 0x563828c904db in isis_spf_add2tent isisd/isis_spf.c:588 > #4 0x563828c91cd0 in process_N isisd/isis_spf.c:824 > #5 0x563828c93852 in isis_spf_process_lsp isisd/isis_spf.c:1041 > #6 0x563828c98dde in isis_spf_loop isisd/isis_spf.c:1821 > #7 0x563828c998de in isis_run_spf isisd/isis_spf.c:1983 > #8 0x563828c99c7b in isis_run_spf_with_protection isisd/isis_spf.c:2009 > #9 0x563828c9a60d in isis_run_spf_cb isisd/isis_spf.c:2090 > #10 0x7f84b835c72d in event_call lib/event.c:2011 > #11 0x7f84b8236d93 in frr_run lib/libfrr.c:1217 > #12 0x563828c21918 in main isisd/isis_main.c:346 > #13 0x7f84b7e4fd09 in __libc_start_main ../csu/libc-start.c:308 > > SUMMARY: AddressSanitizer: heap-use-after-free isisd/isis_spf.c:187 in prefix_sid_cmp > Shadow bytes around the buggy address: > 0x0c207fffb9c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 > 0x0c207fffb9d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa > 0x0c207fffb9e0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 > 0x0c207fffb9f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa > 0x0c207fffba00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd > =>0x0c207fffba10: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fa > 0x0c207fffba20: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 > 0x0c207fffba30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa > 0x0c207fffba40: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 > 0x0c207fffba50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa > 0x0c207fffba60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb > Shadow gap: cc > ==2334217==ABORTING Fixes: 2f7cc7b ("isisd: detect Prefix-SID collisions and handle them appropriately") Signed-off-by: Louis Scalbert <[email protected]> (cherry picked from commit e697de58431474cdb06eff79bcbc70de4215e222)
Leaked route from the l3VRF are installed with the loopback as the nexthop interface instead of the real interface. > B>* 10.0.0.0/30 [20/0] is directly connected, lo (vrf default), weight 1, 00:21:01 Routing of packet from a L3VRF to the default L3VRF destined to a leak prefix fails because of the default routing rules on Linux. > 0: from all lookup local > 1000: from all lookup [l3mdev-table] > 32766: from all lookup main > 32767: from all lookup default When the packet is received in the loopback interface, the local rules are checked without match, then the l3mdev-table says to route to the loopback. A routing loop occurs (TTL is decreasing). > 12:26:27.928748 ens37 In IP (tos 0x0, ttl 64, id 26402, offset 0, flags [DF], proto ICMP (1), length 84) > 10.0.0.2 > 10.0.1.2: ICMP echo request, id 47463, seq 1, length 64 > 12:26:27.928784 red Out IP (tos 0x0, ttl 63, id 26402, offset 0, flags [DF], proto ICMP (1), length 84) > 10.0.0.2 > 10.0.1.2: ICMP echo request, id 47463, seq 1, length 64 > 12:26:27.928797 ens38 Out IP (tos 0x0, ttl 63, id 26402, offset 0, flags [DF], proto ICMP (1), length 84) > 10.0.0.2 > 10.0.1.2: ICMP echo request, id 47463, seq 1, length 64 Do not set the lo interface as a nexthop interface. Keep the real interface where possible. Fixes: db7cf73 ("bgpd: fix interface on leaks from redistribute connected") Fixes: 067fbab ("bgpd: fix interface on leaks from network statement") Fixes: 8a02d9f ("bgpd: Set nh ifindex to VRF's interface, not the real") Fixes: FRRouting/frr#15909 Signed-off-by: Louis Scalbert <[email protected]> (cherry picked from commit 31fc89b2301ca624a331539c0a077627bacddbe2)
isisd: fix heap-after-free with prefix sid (backport #16021)
bgpd: fix route leaking from the default l3vrf (backport #16044)
Iggy Frankovic discovered another ospfd crash when performing fuzzing of OSPF LSA packets. The crash occurs in ospf_te_parse_ri() function when attemping to read Segment Routing subTLVs. The original code doesn't check if the size of the SR subTLVs have the correct length. In presence of erronous LSA, this will cause a buffer overflow and ospfd crash. This patch introduces new verification of the subTLVs size for Router Information TLV. Co-authored-by: Iggy Frankovic <[email protected]> Signed-off-by: Olivier Dugeon <[email protected]> (cherry picked from commit f69d1313b19047d3d83fc2b36a518355b861dfc4)
Iggy Frankovic discovered another ospfd crash when performing fuzzing of OSPF LSA packets. The crash occurs in ospf_te_parse_ext_link() function when attemping to read Segment Routing Adjacency SID subTLVs. The original code doesn't check if the size of the Extended Link TLVs and subTLVs have the correct length. In presence of erronous LSA, this will cause a buffer overflow and ospfd crashes. This patch introduces new verification of the subTLVs size for Extended Link TLVs and subTLVs. Similar check has been also introduced for the Extended Prefix TLV. Co-authored-by: Iggy Frankovic <[email protected]> Signed-off-by: Olivier Dugeon <[email protected]> (cherry picked from commit 5557a289acdaeec8cc63ffc97b5c2abf6dee7b3a)
During fuzzing, Iggy Frankovic discovered that get_edge() function in ospf_te.c could return null pointer, in particular when the link_id or advertised router IP addresses are fuzzed. As the null pointer returned by get_edge() function is not handlei by calling functions, this could cause ospfd crash. This patch introduces new verification of returned pointer by get_edge() function and stop the processing in case of null pointer. In addition, link ID and advertiser router ID are validated before calling ls_find_edge_by_key() to avoid the creation of a new edge with an invalid key. CVE-2024-34088 Co-authored-by: Iggy Frankovic <[email protected]> Signed-off-by: Olivier Dugeon <[email protected]> (cherry picked from commit 8c177d69e32b91b45bda5fc5da6511fa03dc11ca)
ospfd: Solved crash in RI parsing with OSPF TE (backport #15674)
When nhrpd is shutdown via nhrp_request_stop() the shutdown sequence was not handling the case where there are active shortcut routes installed. The zebra client and shortcut rib were being cleaned up before vrf_terminate() had an opportunity to delete the active routes. Signed-off-by: dleroy <[email protected]> (cherry picked from commit a4ee9762734332697ba186ae7223da1eb0445cb2)
…ology Contains 2 testcases. The first does a basic configuration/connectivity. The second testcase initiates a shortcut through the primary NHS, verifies shortcut routes are installed. Primary NHS interface brought down and verify that the shortcut is not impacted. Finally verify that after the shortcut expires, it is able to be re-established via a backup NHS. Signed-off-by: dleroy <[email protected]> (cherry picked from commit a7037ab23407d5667385f9be096e347caa0c94ad)
Test functions were duplicated by mistakes. They were identical. Fixes: 8af61c8 ("topotests: test leak from the default vrf") Signed-off-by: Louis Scalbert <[email protected]>
…ports_10.0 tests: fix duplicates in bgp_vrf_route_leak_basic
nhrpd: fixes core dump on shutdown (backport #15879)
There is no reason to call `igmp_anysource_forward_stop()` inside a call to `igmp_get_source_by_addr()`; not only it is not expected for a "get" function to perform such an action, but also the decision to start/stop forwarding is already handled correctly by pim outside `igmp_get_source_by_addr()`. That call was left there from the days pim was initially imported into the sources. The problem/crash was happening because `igmp_find_source_by_addr()` would fail to find the group/source combo when mixing `(*, G)` and `(S, G)`. When having an existing flow `(*, G)`, and a new `(S, G)` igmp is received, a new entry is correctly created. `igmp_anysource_forward_stop(group)` always stops and eventually frees `(*, G)`, even when the new igmp is `(S, G)`, leaving a bad state. I.e, the new entry for `(S, G)` causes `(*, G)` to be deleted. Tested the fix with multiple receivers on the same interface with several ssm and any source senders and receivers with various combination of start/stop orders and they all worked correctly. Fixes: #15630 Signed-off-by: Jafar Al-Gharaibeh <[email protected]> (cherry picked from commit a951960a15e8b6b5ed248abb0ecc9eb4e9a3427f)
When parsing a osf6 grace lsa field and we receive an unknown tlv type, ospf6d was not incrementing the pointer to get beyond the tlv. Leaving a situation where ospf6d would parse the packet incorrectly. Signed-off-by: Iggy Frankovic <[email protected]> (cherry picked from commit 826f2510e67711045e52cf4b5e3ddef514ed556e)
ospf6d: Prevent heap-buffer-overflow with unknown type (backport #16111)
pimd: fix crash when mixing ssm/any-source joins (backport #16115)
When a router route already exists in the area border routers table as an ABR and it solely changes its ABR or ASBR status, the change was missed and border route is not updated. This fixes the comparison for the router_bits in the ospf6_path structure. This fixes issue FRRouting/frr#16053 although the actual problem is not the computing router (r2) and not the OSPFv3 redistribution (r3). Signed-off-by: Acee <[email protected]> (cherry picked from commit 772688d2d3c03d8eeeb711c2fe3735c9e0885498)
ospf6d: OSPFv3 route change comparision fixed for ASBR-only change (backport #16098)
nhrp_shortcut_terminate() previously was just freeing the associated AFI shortcut RIBs and not addressing existing shortcut cache entries. This cause a use after free issue in vrf_terminate() later in the terminate sequence NHRP: Received signal 7 at 1717516286 (si_addr 0x1955d, PC 0x7098786912c0); aborting... NHRP: zlog_signal+0xf5 709878ad1255 7fff3d992eb0 /usr/lib/frr/libfrr.so.0 (mapped at 0x709878a00000) NHRP: core_handler+0xb5 709878b0db85 7fff3d992ff0 /usr/lib/frr/libfrr.so.0 (mapped at 0x709878a00000) NHRP: __sigaction+0x50 709878642520 7fff3d993140 /lib/x86_64-linux-gnu/libc.so.6 (mapped at 0x709878600000) NHRP: ---- signal ---- NHRP: __lll_lock_wait_private+0x90 7098786912c0 7fff3d9936d8 /lib/x86_64-linux-gnu/libc.so.6 (mapped at 0x709878600000) NHRP: pthread_mutex_lock+0x112 709878698002 7fff3d9936e0 /lib/x86_64-linux-gnu/libc.so.6 (mapped at 0x709878600000) NHRP: _event_add_read_write+0x63 709878b1f423 7fff3d993700 /usr/lib/frr/libfrr.so.0 (mapped at 0x709878a00000) NHRP: zclient_send_message+0xd4 709878b37614 7fff3d993770 /usr/lib/frr/libfrr.so.0 (mapped at 0x709878a00000) NHRP: nhrp_route_announce+0x1ad 5ab34d63d39d 7fff3d993790 /usr/lib/frr/nhrpd (mapped at 0x5ab34d621000) NHRP: nhrp_shortcut_cache_notify+0xd8 5ab34d63e758 7fff3d99d4e0 /usr/lib/frr/nhrpd (mapped at 0x5ab34d621000) NHRP: nhrp_cache_free+0x165 5ab34d632f25 7fff3d99d510 /usr/lib/frr/nhrpd (mapped at 0x5ab34d621000) NHRP: hash_iterate+0x4d 709878ab949d 7fff3d99d540 /usr/lib/frr/libfrr.so.0 (mapped at 0x709878a00000) NHRP: nhrp_cache_interface_del+0x37 5ab34d633eb7 7fff3d99d580 /usr/lib/frr/nhrpd (mapped at 0x5ab34d621000) NHRP: nhrp_if_delete_hook+0x26 5ab34d6350d6 7fff3d99d5a0 /usr/lib/frr/nhrpd (mapped at 0x5ab34d621000) NHRP: if_delete_retain+0x3d 709878abcd1d 7fff3d99d5c0 /usr/lib/frr/libfrr.so.0 (mapped at 0x709878a00000) NHRP: if_delete+0x4c 709878abd87c 7fff3d99d600 /usr/lib/frr/libfrr.so.0 (mapped at 0x709878a00000) NHRP: if_terminate+0x53 709878abda83 7fff3d99d630 /usr/lib/frr/libfrr.so.0 (mapped at 0x709878a00000) NHRP: vrf_terminate_single+0x24 709878b23c74 7fff3d99d670 /usr/lib/frr/libfrr.so.0 (mapped at 0x709878a00000) NHRP: nhrp_request_stop+0x34 5ab34d636844 7fff3d99d690 /usr/lib/frr/nhrpd (mapped at 0x5ab34d621000) NHRP: frr_sigevent_process+0x53 709878b0df53 7fff3d99d6a0 /usr/lib/frr/libfrr.so.0 (mapped at 0x709878a00000) NHRP: event_fetch+0x6c5 709878b20405 7fff3d99d6c0 /usr/lib/frr/libfrr.so.0 (mapped at 0x709878a00000) NHRP: frr_run+0xd3 709878ac8163 7fff3d99d840 /usr/lib/frr/libfrr.so.0 (mapped at 0x709878a00000) NHRP: main+0x195 5ab34d631915 7fff3d99d960 /usr/lib/frr/nhrpd (mapped at 0x5ab34d621000) NHRP: __libc_init_first+0x90 709878629d90 7fff3d99d980 /lib/x86_64-linux-gnu/libc.so.6 (mapped at 0x709878600000) NHRP: __libc_start_main+0x80 709878629e40 7fff3d99da20 /lib/x86_64-linux-gnu/libc.so.6 (mapped at 0x709878600000) NHRP: _start+0x25 5ab34d631b65 7fff3d99da70 /usr/lib/frr/nhrpd (mapped at 0x5ab34d621000) Signed-off-by: Dave LeRoy <[email protected]> (cherry picked from commit 2b7e357cf902190aad544b4f7d46e9f229454346)
nhrpd: cleans up shortcut cache entries on termination (backport #16170)
Changelog:
bgpd
Fix route leaking from the default l3vrf
Allow using optional table id for negative `no set table x` command
Apply noop when doing negative commands for gr operations
Drop newline in json output for `show bgp afi safi json detail`
Fix `match peer` when switching between ipv4/ipv6/interface
Fix `no set as-path prepend asnum...`
Fix crash when deleting the srv6 locator
Fix display when using `missing-as-worst`
Fix dynamic peer graceful restart race condition
Fix logging message when receiving a software version capability
Fix show run of network route-distinguisher
Fix srv6 memory leaks spotted by asan
Fix the order of null check and zapi decode
Ignore validating the attribute flags if path-attribute is configured
Inherit `capability software-version` flag from the peer-group
Inherit `enforce-first-as` flag from the peer-group
Move srv6 cleanup functions
Print old/new states of graceful restart fsm
Revert "Fix pointer arithmetic in bgp snmp module"
debian, redhat, snapcraft
Libyang min version is 2.1.128
isisd
Fix heap-after-free with prefix sid
Fix ip/ipv6 reachability tlvs
lib
Check for not being a blackhole route
Fix exit commands
Remove nb/yang memory cleanup when daemonizing
Replace deprecated ares_gethostbyname
Replace deprecated ares_process()
nhrpd
Fix race condition
Fix core dump on shutdown
Clean up shortcut cache entries on termination
ospf6d
Accept cli `no` for point-to-multipoint
Fix defun formatting wrecked by clang
Fix loopback/ptp/ptmp conn. route checks
Force recalculate on interface_up
Prevent heap-buffer-overflow with unknown
Ospfv3 route change comparision fixed for asbr-only change
ospfd
Correct opaque lsa extended parser
Fix the bug where ip_ospf_dead-interval_minimal_hello-multiplier did not reset hello timer
Protect call to get_edge() in ospf_te.c
Solved crash in ri parsing with ospf te
Revert "Fix some dicey pointer arith in snmp module"
pimd
Fix crash unconfiguring rp keepalive timer
Fix dr-priority range
Fix null register before aging out reg-stop
Fix order of operations for evaluating join
Fix crash when mixing ssm/any-source joins
tests
Check if ibgp session can drop invalid aigp attribute
tools
Frr-reload strip interface vrf ctx line
Handle seq num for bgp as-path in frr-reload.py
topotests
Do not check table version
vtysh
Check if bgpd is enabled before installing vtysh commands for rpki
Fix `show route-map` command when calling via `do`
Show `ip ospf network ...` even if it's not the same as the interface type
zebra
Deny the routes if ip protocol cli refers to an undefined rmap
Fix encoded dnssl length
Fix evpn svd based remote nh neigh del
Fix mpls command
Signed-off-by: Jafar Al-Gharaibeh <[email protected]>
|
|
@hasan-brcm I think you have the permission to directly push frr/10.0.1. I don't think PR is required. |
|
Cancelling |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.