From 84a89a8d2ef6c253c043fd724eec94fc456aab81 Mon Sep 17 00:00:00 2001
From: Stephen Worley <sworley@cumulusnetworks.com>
Date: Mon, 16 Dec 2019 16:37:14 -0500
Subject: [PATCH 1/2] zebra: null check re->nhe not re->nhe->nhg on attach

We should be NULL checking the entire re->nhe struct, not
the group inside of it. When we get routes from the kernel
using a nexthop group (and future protocols) they will only
pass us an ID to use. Hence, this struct can (and will be)
NULL on first attach when only passed an ID.

There shouldn't be a situation where we have an re->nhe
and don't have an re->nhe->nhg anyway.

Before this patch you can easily make zebra crash by creating a
route in the kernel using a nexthop group and starting zebra.

`ip next add dev lo id 111`
`ip route add 1.1.1.1/32 nhid 111`

Signed-off-by: Stephen Worley <sworley@cumulusnetworks.com>
---
 zebra/zebra_rib.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/zebra/zebra_rib.c b/zebra/zebra_rib.c
index f375036db2..309b0f4301 100644
--- a/zebra/zebra_rib.c
+++ b/zebra/zebra_rib.c
@@ -228,7 +228,7 @@ int route_entry_update_nhe(struct route_entry *re, struct nhg_hash_entry *new)
 
 		if (old)
 			zebra_nhg_decrement_ref(old);
-	} else if (!re->nhe->nhg)
+	} else if (!re->nhe)
 		/* This is the first time it's being attached */
 		route_entry_attach_ref(re, new);
 

From b10d6b0744791a9b29c321b851cf734d1e1941de Mon Sep 17 00:00:00 2001
From: Stephen Worley <sworley@cumulusnetworks.com>
Date: Mon, 16 Dec 2019 16:46:30 -0500
Subject: [PATCH 2/2] zebra: pass type when finding individual nexthop

When we are doing a lookup on an individual nexthop,
we should still be passing along the type that gets passed
via the arguments. Otherwise, we will always think we own that
NHE when in reality anyone could have put that into the
kernel.

Before this patch, nexthops in the kernel will get swepped
out even if we didn't create them.

Signed-off-by: Stephen Worley <sworley@cumulusnetworks.com>
---
 zebra/zebra_nhg.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/zebra/zebra_nhg.c b/zebra/zebra_nhg.c
index 9065a265ad..e920ab812b 100644
--- a/zebra/zebra_nhg.c
+++ b/zebra/zebra_nhg.c
@@ -593,7 +593,7 @@ zebra_nhg_find_nexthop(uint32_t id, struct nexthop *nh, afi_t afi, int type)
 
 	nexthop_group_add_sorted(&nhg, nh);
 
-	zebra_nhg_find(&nhe, id, &nhg, NULL, nh->vrf_id, afi, 0);
+	zebra_nhg_find(&nhe, id, &nhg, NULL, nh->vrf_id, afi, type);
 
 	return nhe;
 }