From 20593bf0fb520d6a5283df3fbd9eba56e96b7edd Mon Sep 17 00:00:00 2001 From: Carmine Scarpitta Date: Fri, 3 May 2024 23:35:05 +0200 Subject: [PATCH 1/2] bgpd: Fix crash when deleting the SRv6 locator When BGP receives a `SRV6_LOCATOR_DEL` from zebra, it invokes `bgp_zebra_process_srv6_locator_delete` to process the message. `bgp_zebra_process_srv6_locator_delete` obtains a pointer to the default BGP instance and then dereferences this pointer. If the default BGP instance is not ready / not configured yet, this pointer this pointer is `NULL` and dereferencing it causes BGP to crash. This commit fix the issue by adding a a check to verify if the pointer is `NULL` and returning early if it is. Signed-off-by: Carmine Scarpitta (cherry picked from commit ae3241b96d7be08d627f142030a41031492ffaf5) --- bgpd/bgp_zebra.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/bgpd/bgp_zebra.c b/bgpd/bgp_zebra.c index 87f2e55b3f..d22c57c1a7 100644 --- a/bgpd/bgp_zebra.c +++ b/bgpd/bgp_zebra.c @@ -3210,6 +3210,9 @@ static int bgp_zebra_process_srv6_locator_delete(ZAPI_CALLBACK_ARGS) struct in6_addr *tovpn_sid; struct prefix_ipv6 tmp_prefi; + if (!bgp) + return 0; + if (zapi_srv6_locator_decode(zclient->ibuf, &loc) < 0) return -1; From 238f2b0d14a0a945e1930df0e106f9efa6d2e388 Mon Sep 17 00:00:00 2001 From: Carmine Scarpitta Date: Sun, 5 May 2024 07:25:57 +0200 Subject: [PATCH 2/2] bgpd: Fix the order of NULL check and ZAPI decode When BGP receives an SRV6_LOCATOR_ADD message from zebra, it calls the `bgp_zebra_process_srv6_locator_add()` function to process the message. `bgp_zebra_process_srv6_locator_add()` decodes the message first, and then if the pointer to the default BGP instance is NULL (i.e. the default BGP instance is not configured yet), it returns early without doing anything and without using the decoded message information. This commit fixes the order of the operations executed by `bgp_zebra_process_srv6_locator_add()`. We first ensure that the default BGP instance is ready and we return early if it is not. Then, we decode the message and do something with the information contained in it. Signed-off-by: Carmine Scarpitta (cherry picked from commit bdc2c7bc5473b5582419702211c22e5d29bf0631) --- bgpd/bgp_zebra.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bgpd/bgp_zebra.c b/bgpd/bgp_zebra.c index d22c57c1a7..fe29662e28 100644 --- a/bgpd/bgp_zebra.c +++ b/bgpd/bgp_zebra.c @@ -3187,12 +3187,12 @@ static int bgp_zebra_process_srv6_locator_add(ZAPI_CALLBACK_ARGS) struct bgp *bgp = bgp_get_default(); const char *loc_name = bgp->srv6_locator_name; - if (zapi_srv6_locator_decode(zclient->ibuf, &loc) < 0) - return -1; - if (!bgp || !bgp->srv6_enabled) return 0; + if (zapi_srv6_locator_decode(zclient->ibuf, &loc) < 0) + return -1; + if (bgp_zebra_srv6_manager_get_locator_chunk(loc_name) < 0) return -1;