Add documentation for generating show CLI from YANG operational state#5
Closed
choppsv1 wants to merge 0 commit intochopps/yang-cli-extfrom
Closed
Add documentation for generating show CLI from YANG operational state#5choppsv1 wants to merge 0 commit intochopps/yang-cli-extfrom
choppsv1 wants to merge 0 commit intochopps/yang-cli-extfrom
Conversation
choppsv1
force-pushed
the
codex/add-documentation-for-cli-show-commands
branch
from
69fc7bb to
5475175
Compare
louberger
pushed a commit
that referenced
this pull request
Oct 14, 2025
We can do this now in gdb: (rr) walk_bgp_table table Walking BGP table at 0x55bd95ec5b70 AFI: 3, SAFI: 5 Version: 0 (Two-level table: RD -> Routes) === RD: 10.0.0.21:2 === === Dest #1: 0x55bd961a0130 === Prefix: [5]:[0]:[32]:10.1.1.1 dest->flags: 0x1 PROCESS_SCHEDULED --- Path #1 --- bgp_path_info: 0x55bd961a04b0 peer: 0x55bd95ebdfd0 (Static announcement) type: 10, sub_type: 1 (STATIC) flags: 0x80010 VALID UNSORTED uptime: 764569, lock: 1 attr: 0x55bd961a0380 (nexthop: 120.0.0.3) extra: 0x55bd960ac720 [has labels] [has evpn] next: 0x0, prev: 0x0 === RD: 10.0.0.33:1 === === Dest #2: 0x55bd95eb41e0 === Prefix: [5]:[0]:[32]:10.1.1.1 dest->flags: 0x0 --- Path #1 --- bgp_path_info: 0x55bd95ea2a20 peer: 0x55bd95ed56a0 (10.0.0.18) type: 10, sub_type: 0 (NORMAL) flags: 0x418 SELECTED VALID COUNTED uptime: 764568, lock: 2 attr: 0x55bd956aa3b0 (nexthop: 120.0.0.1) extra: 0x55bd960a5d60 [has labels] [has evpn] next: 0x0, prev: 0x0 === Dest #3: 0x55bd960aa4b0 === Prefix: [5]:[0]:[128]:10:0:0:0:0:0:0:1 dest->flags: 0x0 --- Path #1 --- bgp_path_info: 0x55bd960ad190 peer: 0x55bd95ed56a0 (10.0.0.18) type: 10, sub_type: 0 (NORMAL) flags: 0x418 SELECTED VALID COUNTED uptime: 764569, lock: 2 attr: 0x55bd960ad2e0 (nexthop: 120.0.0.1) extra: 0x55bd960aa540 [has labels] [has evpn] next: 0x0, prev: 0x0 === RD: 10.0.0.37:2 === === Dest #4: 0x55bd960ad930 === Prefix: [5]:[0]:[32]:20.1.1.1 dest->flags: 0x0 --- Path #1 --- bgp_path_info: 0x55bd960a97b0 peer: 0x55bd95ed56a0 (10.0.0.18) type: 10, sub_type: 0 (NORMAL) flags: 0x418 SELECTED VALID COUNTED uptime: 764568, lock: 2 attr: 0x55bd960a93b0 (nexthop: 120.0.0.1) extra: 0x55bd960a6b30 [has labels] [has evpn] next: 0x0, prev: 0x0 --Type <RET> for more, q to quit, c to continue without paging-- === RD: 10.0.0.41:3 === === Dest #5: 0x55bd960a9c30 === Prefix: [5]:[0]:[32]:30.1.1.1 dest->flags: 0x0 --- Path #1 --- bgp_path_info: 0x55bd960a9e10 peer: 0x55bd95ed56a0 (10.0.0.18) type: 10, sub_type: 0 (NORMAL) flags: 0x418 SELECTED VALID COUNTED uptime: 764568, lock: 2 attr: 0x55bd960a9cc0 (nexthop: 120.0.0.1) extra: 0x55bd960a9eb0 [has labels] [has evpn] next: 0x0, prev: 0x0 === Summary === Total destinations with paths: 5 Total paths: 5 Or: (rr) walk_bgp_table table Walking BGP table at 0x55bd95ee53b0 AFI: 2, SAFI: 1 Version: 1 === Dest #1: 0x55bd960ad4a0 === Prefix: IPv6:10:0:0:0:0:0:0:1/128 dest->flags: 0x1 PROCESS_SCHEDULED --- Path #1 --- bgp_path_info: 0x55bd960a5eb0 peer: 0x55bd95ef92c0 (fd00:0:0:5::2) type: 10, sub_type: 0 (NORMAL) flags: 0x80400 COUNTED UNSORTED uptime: 764569, lock: 1 attr: 0x55bd9619fb20 (nexthop: 0.0.0.0) extra: 0x55bd95ef31d0 next: 0x55bd960abe30, prev: 0x0 --- Path #2 --- bgp_path_info: 0x55bd960abe30 peer: 0x55bd95ed56a0 (10.0.0.18) type: 10, sub_type: 5 (IMPORTED) flags: 0x4018 SELECTED VALID ANNC_NH_SELF uptime: 764569, lock: 1 attr: 0x55bd960ad530 (nexthop: 120.0.0.1) extra: 0x55bd960abed0 [has labels] [has vrfleak] next: 0x0, prev: 0x55bd960a5eb0 === Summary === Total destinations with paths: 1 Total paths: 2 People might find this useful. Signed-off-by: Donald Sharp <sharpd@nvidia.com>
louberger
pushed a commit
that referenced
this pull request
Oct 15, 2025
On one interface without any mld/pim/igmp configuration, set the command: `ip igmp require-router-alert` or `ipv6 mld require-router-alert`. It will crash for empty `pim_ifp`. ``` #0 0x000055cd72861d40 in lib_interface_gmp_require_router_alert_modify (args=0x7ffec1894e70) at ../pimd/pim_nb_config.c:4768 #1 0x00007f5cdcda137b in nb_callback_modify (context=0x55cd74647a10, nb_node=0x55cd7441c970, event=NB_EV_APPLY, dnode=0x55cd74646350, resource=0x55cd746470c8, errmsg=0x7ffec1895460 "", errmsg_len=8192) at ../lib/northbound.c:1598 #2 0x00007f5cdcda20b7 in nb_callback_configuration (context=0x55cd74647a10, event=NB_EV_APPLY, change=0x55cd74647090, errmsg=0x7ffec1895460 "", errmsg_len=8192) at ../lib/northbound.c:1962 #3 0x00007f5cdcda261f in nb_transaction_process (event=NB_EV_APPLY, transaction=0x55cd74647a10, errmsg=0x7ffec1895460 "", errmsg_len=8192) at ../lib/northbound.c:2091 #4 0x00007f5cdcda0cee in nb_candidate_commit_apply (transaction=0x55cd74647a10, save_transaction=true, transaction_id=0x0, errmsg=0x7ffec1895460 "", errmsg_len=8192) at ../lib/northbound.c:1409 #5 0x00007f5cdcda0e76 in nb_candidate_commit (context=..., candidate=0x55cd7439d960, save_transaction=true, comment=0x0, transaction_id=0x0, errmsg=0x7ffec1895460 "", errmsg_len=8192) at ../lib/northbound.c:1449 FRRouting#6 0x00007f5cdcda78aa in nb_cli_classic_commit (vty=0x55cd74639b60) at ../lib/northbound_cli.c:57 FRRouting#7 0x00007f5cdcda7ea5 in nb_cli_apply_changes_internal (vty=0x55cd74639b60, xpath_base=0x7ffec18994f0 "/frr-interface:lib/interface[name='xx']/frr-gmp:gmp/address-family[address-family='frr-routing:ipv4']", clear_pending=false) at ../lib/northbound_cli.c:195 FRRouting#8 0x00007f5cdcda8196 in _nb_cli_apply_changes (vty=0x55cd74639b60, xpath_base=0x7ffec1899940 "./frr-gmp:gmp/address-family[address-family='frr-routing:ipv4']", clear_pending=false) at ../lib/northbound_cli.c:251 ``` Signed-off-by: anlan_cs <anlan_cs@126.com>
louberger
pushed a commit
that referenced
this pull request
Nov 7, 2025
On one interface without any mld/pim/igmp configuration, set the command: `ip igmp require-router-alert` or `ipv6 mld require-router-alert`. It will crash for empty `pim_ifp`. ``` #0 0x000055cd72861d40 in lib_interface_gmp_require_router_alert_modify (args=0x7ffec1894e70) at ../pimd/pim_nb_config.c:4768 #1 0x00007f5cdcda137b in nb_callback_modify (context=0x55cd74647a10, nb_node=0x55cd7441c970, event=NB_EV_APPLY, dnode=0x55cd74646350, resource=0x55cd746470c8, errmsg=0x7ffec1895460 "", errmsg_len=8192) at ../lib/northbound.c:1598 #2 0x00007f5cdcda20b7 in nb_callback_configuration (context=0x55cd74647a10, event=NB_EV_APPLY, change=0x55cd74647090, errmsg=0x7ffec1895460 "", errmsg_len=8192) at ../lib/northbound.c:1962 #3 0x00007f5cdcda261f in nb_transaction_process (event=NB_EV_APPLY, transaction=0x55cd74647a10, errmsg=0x7ffec1895460 "", errmsg_len=8192) at ../lib/northbound.c:2091 #4 0x00007f5cdcda0cee in nb_candidate_commit_apply (transaction=0x55cd74647a10, save_transaction=true, transaction_id=0x0, errmsg=0x7ffec1895460 "", errmsg_len=8192) at ../lib/northbound.c:1409 #5 0x00007f5cdcda0e76 in nb_candidate_commit (context=..., candidate=0x55cd7439d960, save_transaction=true, comment=0x0, transaction_id=0x0, errmsg=0x7ffec1895460 "", errmsg_len=8192) at ../lib/northbound.c:1449 FRRouting#6 0x00007f5cdcda78aa in nb_cli_classic_commit (vty=0x55cd74639b60) at ../lib/northbound_cli.c:57 FRRouting#7 0x00007f5cdcda7ea5 in nb_cli_apply_changes_internal (vty=0x55cd74639b60, xpath_base=0x7ffec18994f0 "/frr-interface:lib/interface[name='xx']/frr-gmp:gmp/address-family[address-family='frr-routing:ipv4']", clear_pending=false) at ../lib/northbound_cli.c:195 FRRouting#8 0x00007f5cdcda8196 in _nb_cli_apply_changes (vty=0x55cd74639b60, xpath_base=0x7ffec1899940 "./frr-gmp:gmp/address-family[address-family='frr-routing:ipv4']", clear_pending=false) at ../lib/northbound_cli.c:251 ``` Signed-off-by: anlan_cs <anlan_cs@126.com> (cherry picked from commit 7491c07)
choppsv1
pushed a commit
that referenced
this pull request
Jan 7, 2026
Error:
ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000ef8a0 at pc 0x555df66ba094 bp 0x7ffc13d67240 sp 0x7ffc13d67238
READ of size 4 at 0x6070000ef8a0 thread T0
#0 0x555df66ba093 in zebra_gr_delete_stale_route_table_afi zebra/zebra_gr.c:514
#1 0x7fd33d6db06e in event_call lib/event.c:2013
#2 0x7fd33d5fffa1 in frr_run lib/libfrr.c:1257
#3 0x555df66531ec in main zebra/main.c:552
#4 0x7fd33d10c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#5 0x7fd33d10c304 in __libc_start_main_impl ../csu/libc-start.c:360
FRRouting#6 0x555df6626b40 in _start (/usr/lib/frr/zebra+0x1a1b40)
0x6070000ef8a0 is located 0 bytes inside of 72-byte region [0x6070000ef8a0,0x6070000ef8e8)
freed by thread T0 here:
#0 0x7fd33dab76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
#1 0x7fd33d622cd5 in qfree lib/memory.c:136
#2 0x555df66b9e5f in zebra_gr_client_info_delete zebra/zebra_gr.c:130
#3 0x555df66bc66f in zread_client_capabilities zebra/zebra_gr.c:355
#4 0x555df66a025c in zserv_handle_commands zebra/zapi_msg.c:4228
#5 0x555df67cde33 in zserv_process_messages zebra/zserv.c:565
FRRouting#6 0x7fd33d6db06e in event_call lib/event.c:2013
FRRouting#7 0x7fd33d5fffa1 in frr_run lib/libfrr.c:1257
FRRouting#8 0x555df66531ec in main zebra/main.c:552
FRRouting#9 0x7fd33d10c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
previously allocated by thread T0 here:
#0 0x7fd33dab83b7 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
#1 0x7fd33d6223e2 in qcalloc lib/memory.c:111
#2 0x555df66bbace in zebra_gr_client_info_create zebra/zebra_gr.c:101
#3 0x555df66bbace in zread_client_capabilities zebra/zebra_gr.c:360
#4 0x555df66a025c in zserv_handle_commands zebra/zapi_msg.c:4228
#5 0x555df67cde33 in zserv_process_messages zebra/zserv.c:565
FRRouting#6 0x7fd33d6db06e in event_call lib/event.c:2013
FRRouting#7 0x7fd33d5fffa1 in frr_run lib/libfrr.c:1257
FRRouting#8 0x555df66531ec in main zebra/main.c:552
FRRouting#9 0x7fd33d10c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
Signed-off-by: Pooja Jagadeesh Doijode <pdoijode@nvidia.com>
choppsv1
pushed a commit
that referenced
this pull request
Jan 17, 2026
The following crash happens, when moving from level-2 to level-1 an isis flex-algorithm configuration > warning: 44 ./nptl/pthread_kill.c: No such file or directory > [Current thread is 1 (Thread 0x7108d4cb2980 (LWP 1023))] > (gdb) bt > #0 __pthread_kill_implementation (no_tid=0, signo=11, > threadid=<optimized out>) at ./nptl/pthread_kill.c:44 > #1 __pthread_kill_internal (signo=11, threadid=<optimized out>) > at ./nptl/pthread_kill.c:78 > #2 __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=11) > at ./nptl/pthread_kill.c:89 > #3 0x00007108d3e4527e in __GI_raise (sig=11) at ../sysdeps/posix/raise.c:26 > #4 0x00007108d4b44926 in core_handler (signo=11, siginfo=0x7ffe7c10fb30, > context=0x7ffe7c10fa00) > at /build/make-pkg/output/_packages/cp-routing/src/lib/sigevent.c:248 > #5 <signal handler called> > FRRouting#6 0x00005b5d803bf07b in isis_spf_invalidate_routes (tree=0x0) > at /build/make-pkg/output/_packages/cp-routing/src/isisd/isis_spf.c:2118 > FRRouting#7 0x00005b5d803fb23e in isis_area_invalidate_routes (area=0x5b5db8d5be40, > levels=1) > at /build/make-pkg/output/_packages/cp-routing/src/isisd/isisd.c:3152 > FRRouting#8 0x00005b5d803bf280 in isis_run_spf_cb (thread=0x7ffe7c110180) > at /build/make-pkg/output/_packages/cp-routing/src/isisd/isis_spf.c:2165 > FRRouting#9 0x00007108d4b5ff7f in event_call (thread=0x7ffe7c110180) > at /build/make-pkg/output/_packages/cp-routing/src/lib/event.c:2011 > FRRouting#10 0x00007108d4adb761 in frr_run (master=0x5b5db7f7ca40) > at /build/make-pkg/output/_packages/cp-routing/src/lib/libfrr.c:1219 > FRRouting#11 0x00005b5d8038333a in main (argc=5, argv=0x7ffe7c1103d8, > --Type <RET> for more, q to quit, c to continue without paging-- > envp=0x7ffe7c110408) > at /build/make-pkg/output/_packages/cp-routing/src/isisd/isis_main.c:360 > (gdb) Fix this by adding protection before invalidating all routes. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
choppsv1
pushed a commit
that referenced
this pull request
Jan 25, 2026
In bgp_evpn_mh_finish(), accessing es->es_evi_list after calling
bgp_evpn_es_local_info_clear() causes use-after-free when the ES
gets freed.
Fix by checking and cleaning ES-EVIs before clearing local info.
AddressSanitizer error in topotest `test_bgp_evpn_ead_evi_routes.py`, test `check_daemon`, router `tor2`
ERROR: AddressSanitizer: heap-use-after-free on address 0xffff817d9f28 at pc 0xaaaae8a31974 bp 0xffffc069e410 sp 0xffffc069e400
READ of size 8 at 0xffff817d9f28 thread T0
#0 0xaaaae8a31970 in bgp_evpn_mh_finish bgpd/bgp_evpn_mh.c:5093
#1 0xaaaae89b66bc in bgp_exit bgpd/bgp_main.c:193
#2 0xaaaae89b66bc in sigint bgpd/bgp_main.c:141
#3 0xffff862f6440 in frr_sigevent_process lib/sigevent.c:117
#4 0xffff8632095c in event_fetch_inner_loop lib/event.c:2427
#5 0xffff8632095c in event_fetch lib/event.c:2559
FRRouting#6 0xffff86258100 in frr_run lib/libfrr.c:1257
FRRouting#7 0xaaaae89af55c in main bgpd/bgp_main.c:549
FRRouting#8 0xffff85c773fc in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
FRRouting#9 0xffff85c774d4 in __libc_start_main_impl ../csu/libc-start.c:392
FRRouting#10 0xaaaae89b4dac in _start (/usr/lib/frr/bgpd+0x2e4dac)
0xffff817d9f28 is located 168 bytes inside of 248-byte region [0xffff817d9e80,0xffff817d9f78)
freed by thread T0 here:
#0 0xffff8669f0d8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
#1 0xaaaae8a316f0 in bgp_evpn_es_local_info_clear bgpd/bgp_evpn_mh.c:2058
#2 0xaaaae8a316f0 in bgp_evpn_mh_finish bgpd/bgp_evpn_mh.c:5088
#3 0xaaaae89b66bc in bgp_exit bgpd/bgp_main.c:193
#4 0xaaaae89b66bc in sigint bgpd/bgp_main.c:141
#5 0xffff862f6440 in frr_sigevent_process lib/sigevent.c:117
FRRouting#6 0xffff8632095c in event_fetch_inner_loop lib/event.c:2427
FRRouting#7 0xffff8632095c in event_fetch lib/event.c:2559
FRRouting#8 0xffff86258100 in frr_run lib/libfrr.c:1257
FRRouting#9 0xaaaae89af55c in main bgpd/bgp_main.c:549
FRRouting#10 0xffff85c773fc in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
FRRouting#11 0xffff85c774d4 in __libc_start_main_impl ../csu/libc-start.c:392
FRRouting#12 0xaaaae89b4dac in _start (/usr/lib/frr/bgpd+0x2e4dac)
previously allocated by thread T0 here:
#0 0xffff8669f5f4 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
#1 0xffff86277c30 in qcalloc lib/memory.c:111
#2 0xaaaae8a19ba8 in bgp_evpn_es_new bgpd/bgp_evpn_mh.c:1925
#3 0xaaaae8a2a4d4 in bgp_evpn_local_es_add bgpd/bgp_evpn_mh.c:2420
#4 0xaaaae8bc7080 in bgp_zebra_process_local_es_add bgpd/bgp_zebra.c:3272
#5 0xffff863511c4 in zclient_read lib/zclient.c:4870
FRRouting#6 0xffff863212e4 in event_call lib/event.c:2730
FRRouting#7 0xffff862580f4 in frr_run lib/libfrr.c:1258
FRRouting#8 0xaaaae89af55c in main bgpd/bgp_main.c:549
FRRouting#9 0xffff85c773fc in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
FRRouting#10 0xffff85c774d4 in __libc_start_main_impl ../csu/libc-start.c:392
FRRouting#11 0xaaaae89b4dac in _start (/usr/lib/frr/bgpd+0x2e4dac)
SUMMARY: AddressSanitizer: heap-use-after-free bgpd/bgp_evpn_mh.c:5093 in bgp_evpn_mh_finish
Signed-off-by: Rajasekar Raja <rajasekarr@nvidia.com>
choppsv1
pushed a commit
that referenced
this pull request
Jan 31, 2026
Changes:
- check for zif->brslave_info.br_if, before access
- If ES config is pushed when bond is not associated with bridge
throw warning in zebra_evpn_es_setup_evis, when bond gets linked
process zebra_evpn_es_setup_evis and send update to bgp.
BT:
==268631==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000050 (pc 0xaaaac9734754 bp 0xffffe9ae0370 sp 0xffffe9ae00b0 T0)
==268631==The signal is caused by a READ memory access.
==268631==Hint: address points to the zero page.
#0 0xaaaac9734754 in zebra_evpn_acc_vl_find zebra/zebra_evpn_mh.c:554
#1 0xaaaac9734754 in zebra_evpn_es_setup_evis zebra/zebra_evpn_mh.c:2127
#2 0xaaaac9734754 in zebra_evpn_es_local_info_set zebra/zebra_evpn_mh.c:2350
#3 0xaaaac9734754 in zebra_evpn_local_es_update zebra/zebra_evpn_mh.c:2514
#4 0xaaaac968df28 in lib_interface_zebra_evpn_mh_type_3_local_discriminator_modify zebra/zebra_nb_config.c:2491
#5 0xffff8ab9d1f0 in nb_callback_modify lib/northbound.c:1600
FRRouting#6 0xffff8ab9d1f0 in nb_callback_configuration lib/northbound.c:1964
FRRouting#7 0xffff8ab9def4 in nb_transaction_process lib/northbound.c:2093
FRRouting#8 0xffff8ab9def4 in nb_candidate_commit_apply lib/northbound.c:1411
FRRouting#9 0xffff8ab70b54 in mgmt_be_txn_proc_cfgapply lib/mgmt_be_client.c:614
FRRouting#10 0xffff8ab73de8 in be_client_handle_cfg_apply lib/mgmt_be_client.c:645
FRRouting#11 0xffff8ab73de8 in be_client_handle_native_msg lib/mgmt_be_client.c:1001
FRRouting#12 0xffff8ab73de8 in mgmt_be_client_process_msg lib/mgmt_be_client.c:1040
FRRouting#13 0xffff8ab73de8 in mgmt_be_client_process_msg lib/mgmt_be_client.c:1027
FRRouting#14 0xffff8ab7b9b0 in mgmt_msg_procbufs lib/mgmt_msg.c:199
FRRouting#15 0xffff8ab7bb40 in msg_conn_proc_msgs lib/mgmt_msg.c:520
FRRouting#16 0xffff8ac1a894 in event_call lib/event.c:2730
FRRouting#17 0xffff8ab4f4d4 in frr_run lib/libfrr.c:1258
FRRouting#18 0xaaaac95a9698 in main zebra/main.c:580
FRRouting#19 0xffff8a5b73fc in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
FRRouting#20 0xffff8a5b74d4 in __libc_start_main_impl ../csu/libc-start.c:392
FRRouting#21 0xaaaac95accac in _start (/usr/lib/frr/zebra+0x1accac)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV zebra/zebra_evpn_mh.c:554 in zebra_evpn_acc_vl_find
Signed-off-by: Ashwini Reddy <ashred@nvidia.com>
Signed-off-by: Rajasekar Raja <rajasekarr@nvidia.com>
choppsv1
pushed a commit
that referenced
this pull request
Jan 31, 2026
Free the newly allocated VLAN bitmap and restore the old one when
no bridge VLAN info is available.
ASAN Leak:
==315014==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 516 byte(s) in 1 object(s) allocated from:
#0 0xffffa65af5f4 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
#1 0xffffa617f040 in qcalloc lib/memory.c:111
#2 0xaaaad9853130 in interface_bridge_vlan_update zebra/interface.c:1920
#3 0xaaaad9853130 in interface_bridge_handling zebra/interface.c:1967
#4 0xaaaad9853130 in zebra_if_dplane_ifp_handling zebra/interface.c:2063
#5 0xaaaad9853130 in zebra_if_dplane_result zebra/interface.c:2380
FRRouting#6 0xaaaad9961664 in rib_process_dplane_results zebra/zebra_rib.c:5043
FRRouting#7 0xffffa622a894 in event_call lib/event.c:2730
FRRouting#8 0xffffa615f4d4 in frr_run lib/libfrr.c:1258
FRRouting#9 0xaaaad9839918 in main zebra/main.c:580
FRRouting#10 0xffffa5bc73fc in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
FRRouting#11 0xffffa5bc74d4 in __libc_start_main_impl ../csu/libc-start.c:392
FRRouting#12 0xaaaad983cf2c in _start (/usr/lib/frr/zebra+0x1acf2c)
SUMMARY: AddressSanitizer: 516 byte(s) leaked in 1 allocation(s).
Signed-off-by: Rajasekar Raja <rajasekarr@nvidia.com>
choppsv1
pushed a commit
that referenced
this pull request
Feb 5, 2026
… transfer In peer_xfer_conn(), the hostname, domainname, and soft_version pointers were transferred between peers using simple pointer assignment, which caused both peers to reference the same memory. If the transfer didn't complete cleanly or there was a race condition during peer state transitions, when both peers were eventually deleted, the same memory was freed twice, causing a crash. Fix this by using XSTRDUP() to create independent copies of the strings instead of transferring pointer ownership. This ensures each peer owns its own memory and can be safely deleted independently. Crash was seen intermittently when removing interface-based BGP neighbors from peer-groups after the session reached Established state. example: no neighbor swp3 interface peer-group fabric Backtrace: #0 0x00007fc88b41aeec in ?? () from /lib/x86_64-linux-gnu/libc.so.6 #1 0x00007fc88b3cbfb2 in raise () from /lib/x86_64-linux-gnu/libc.so.6 #2 0x00007fc88b70045c in core_handler (signo=11, siginfo=0x7fffbdee6c30, context=<optimized out>) at ../lib/sigevent.c:261 #3 <signal handler called> #4 0x00007fc88b429d49 in malloc_usable_size () from /lib/x86_64-linux-gnu/libc.so.6 #5 0x00007fc88b6c99f9 in mt_count_free (ptr=0x55ff594d9320, mt=0x55ff25046460 <MTYPE_BGP_PEER_HOST>) at ../lib/memory.c:77 FRRouting#6 qfree (mt=0x55ff25046460 <MTYPE_BGP_PEER_HOST>, ptr=0x55ff594d9320) at ../lib/memory.c:129 FRRouting#7 0x000055ff24eac802 in peer_delete (peer=peer@entry=0x55ff5941d770) at ../bgpd/bgpd.c:2864 FRRouting#8 0x000055ff24e65982 in no_neighbor_interface_config (...) at ../bgpd/bgp_vty.c:5862 FRRouting#9 0x00007fc88b695ab0 in cmd_execute_command_real (...) at ../lib/command.c:1018 FRRouting#10 0x00007fc88b695bae in cmd_execute_command (...) at ../lib/command.c:1076 FRRouting#11 0x00007fc88b695e40 in cmd_execute (vty=..., cmd=no neighbor swp3 interface peer-group test_gr_shut, ...) at ../lib/command.c:1243 Ticket: FRRouting#20628 Signed-off-by: Rajesh Varatharaj <rvaratharaj@nvidia.com>
louberger
pushed a commit
that referenced
this pull request
Feb 24, 2026
The following crash happens, when moving from level-2 to level-1 an isis flex-algorithm configuration > warning: 44 ./nptl/pthread_kill.c: No such file or directory > [Current thread is 1 (Thread 0x7108d4cb2980 (LWP 1023))] > (gdb) bt > #0 __pthread_kill_implementation (no_tid=0, signo=11, > threadid=<optimized out>) at ./nptl/pthread_kill.c:44 > #1 __pthread_kill_internal (signo=11, threadid=<optimized out>) > at ./nptl/pthread_kill.c:78 > #2 __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=11) > at ./nptl/pthread_kill.c:89 > #3 0x00007108d3e4527e in __GI_raise (sig=11) at ../sysdeps/posix/raise.c:26 > #4 0x00007108d4b44926 in core_handler (signo=11, siginfo=0x7ffe7c10fb30, > context=0x7ffe7c10fa00) > at /build/make-pkg/output/_packages/cp-routing/src/lib/sigevent.c:248 > #5 <signal handler called> > FRRouting#6 0x00005b5d803bf07b in isis_spf_invalidate_routes (tree=0x0) > at /build/make-pkg/output/_packages/cp-routing/src/isisd/isis_spf.c:2118 > FRRouting#7 0x00005b5d803fb23e in isis_area_invalidate_routes (area=0x5b5db8d5be40, > levels=1) > at /build/make-pkg/output/_packages/cp-routing/src/isisd/isisd.c:3152 > FRRouting#8 0x00005b5d803bf280 in isis_run_spf_cb (thread=0x7ffe7c110180) > at /build/make-pkg/output/_packages/cp-routing/src/isisd/isis_spf.c:2165 > FRRouting#9 0x00007108d4b5ff7f in event_call (thread=0x7ffe7c110180) > at /build/make-pkg/output/_packages/cp-routing/src/lib/event.c:2011 > FRRouting#10 0x00007108d4adb761 in frr_run (master=0x5b5db7f7ca40) > at /build/make-pkg/output/_packages/cp-routing/src/lib/libfrr.c:1219 > FRRouting#11 0x00005b5d8038333a in main (argc=5, argv=0x7ffe7c1103d8, > --Type <RET> for more, q to quit, c to continue without paging-- > envp=0x7ffe7c110408) > at /build/make-pkg/output/_packages/cp-routing/src/isisd/isis_main.c:360 > (gdb) Fix this by adding protection before invalidating all routes. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com> (cherry picked from commit 65269be)
louberger
pushed a commit
that referenced
this pull request
Feb 24, 2026
… transfer In peer_xfer_conn(), the hostname, domainname, and soft_version pointers were transferred between peers using simple pointer assignment, which caused both peers to reference the same memory. If the transfer didn't complete cleanly or there was a race condition during peer state transitions, when both peers were eventually deleted, the same memory was freed twice, causing a crash. Fix this by using XSTRDUP() to create independent copies of the strings instead of transferring pointer ownership. This ensures each peer owns its own memory and can be safely deleted independently. Crash was seen intermittently when removing interface-based BGP neighbors from peer-groups after the session reached Established state. example: no neighbor swp3 interface peer-group fabric Backtrace: #0 0x00007fc88b41aeec in ?? () from /lib/x86_64-linux-gnu/libc.so.6 #1 0x00007fc88b3cbfb2 in raise () from /lib/x86_64-linux-gnu/libc.so.6 #2 0x00007fc88b70045c in core_handler (signo=11, siginfo=0x7fffbdee6c30, context=<optimized out>) at ../lib/sigevent.c:261 #3 <signal handler called> #4 0x00007fc88b429d49 in malloc_usable_size () from /lib/x86_64-linux-gnu/libc.so.6 #5 0x00007fc88b6c99f9 in mt_count_free (ptr=0x55ff594d9320, mt=0x55ff25046460 <MTYPE_BGP_PEER_HOST>) at ../lib/memory.c:77 FRRouting#6 qfree (mt=0x55ff25046460 <MTYPE_BGP_PEER_HOST>, ptr=0x55ff594d9320) at ../lib/memory.c:129 FRRouting#7 0x000055ff24eac802 in peer_delete (peer=peer@entry=0x55ff5941d770) at ../bgpd/bgpd.c:2864 FRRouting#8 0x000055ff24e65982 in no_neighbor_interface_config (...) at ../bgpd/bgp_vty.c:5862 FRRouting#9 0x00007fc88b695ab0 in cmd_execute_command_real (...) at ../lib/command.c:1018 FRRouting#10 0x00007fc88b695bae in cmd_execute_command (...) at ../lib/command.c:1076 FRRouting#11 0x00007fc88b695e40 in cmd_execute (vty=..., cmd=no neighbor swp3 interface peer-group test_gr_shut, ...) at ../lib/command.c:1243 Ticket: FRRouting#20628 Signed-off-by: Rajesh Varatharaj <rvaratharaj@nvidia.com> (cherry picked from commit 27064f7)
choppsv1
pushed a commit
that referenced
this pull request
Mar 14, 2026
If we send a malformed packet (e.g.: fuzzing) we might hit this ASAN path:
==41852==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000545fb8 at pc 0x55555634522a bp 0x7fffffffca10 sp 0x7fffffffca00
READ of size 8 at 0x603000545fb8 thread T0
#0 0x555556345229 in encap_unintern bgpd/bgp_attr.c:347
#1 0x555556345229 in bgp_attr_unintern_sub bgpd/bgp_attr.c:1568
#2 0x555556345857 in bgp_attr_unintern bgpd/bgp_attr.c:1617
#3 0x555556b190a1 in bgp_adj_in_set bgpd/bgp_advertise.c:174
#4 0x5555566864b5 in bgp_update bgpd/bgp_route.c:5710
#5 0x555556696a20 in bgp_nlri_parse_ip bgpd/bgp_route.c:8129
FRRouting#6 0x5555565ed441 in bgp_update_receive bgpd/bgp_packet.c:2527
FRRouting#7 0x5555565ed441 in bgp_process_packet bgpd/bgp_packet.c:4142
FRRouting#8 0x7ffff6c1aae6 in event_call lib/event.c:2730
FRRouting#9 0x7ffff69f0797 in frr_run lib/libfrr.c:1258
FRRouting#10 0x555556329787 in main bgpd/bgp_main.c:549
FRRouting#11 0x7ffff571ad8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
FRRouting#12 0x7ffff571ae3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f)
FRRouting#13 0x555556330b94 in _start (/usr/sbin/bgpd+0xddcb94)
0x603000545fb8 is located 8 bytes inside of 24-byte region [0x603000545fb0,0x603000545fc8)
freed by thread T0 here:
#0 0x7ffff7680537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
#1 0x555556343a31 in encap_free bgpd/bgp_attr.c:237
#2 0x555556343a31 in encap_unintern bgpd/bgp_attr.c:357
#3 0x555556343a31 in bgp_attr_unintern_sub bgpd/bgp_attr.c:1568
#4 0x555556345857 in bgp_attr_unintern bgpd/bgp_attr.c:1617
#5 0x5555566886dd in bgp_update bgpd/bgp_route.c:6070
FRRouting#6 0x555556696a20 in bgp_nlri_parse_ip bgpd/bgp_route.c:8129
FRRouting#7 0x5555565ed441 in bgp_update_receive bgpd/bgp_packet.c:2527
FRRouting#8 0x5555565ed441 in bgp_process_packet bgpd/bgp_packet.c:4142
FRRouting#9 0x7ffff6c1aae6 in event_call lib/event.c:2730
FRRouting#10 0x7ffff69f0797 in frr_run lib/libfrr.c:1258
FRRouting#11 0x555556329787 in main bgpd/bgp_main.c:549
FRRouting#12 0x7ffff571ad8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
previously allocated by thread T0 here:
#0 0x7ffff7680a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
#1 0x7ffff6a3f0d2 in qcalloc lib/memory.c:111
#2 0x555556363f62 in bgp_attr_encap bgpd/bgp_attr.c:3180
#3 0x555556363f62 in bgp_attr_parse bgpd/bgp_attr.c:4340
#4 0x5555565f0705 in bgp_update_receive bgpd/bgp_packet.c:2441
#5 0x5555565f0705 in bgp_process_packet bgpd/bgp_packet.c:4142
FRRouting#6 0x7ffff6c1aae6 in event_call lib/event.c:2730
FRRouting#7 0x7ffff69f0797 in frr_run lib/libfrr.c:1258
FRRouting#8 0x555556329787 in main bgpd/bgp_main.c:549
FRRouting#9 0x7ffff571ad8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
SUMMARY: AddressSanitizer: heap-use-after-free bgpd/bgp_attr.c:347 in encap_unintern
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
will repost